Bug 129415 - iproute2 buffer overflows
Summary: iproute2 buffer overflows
Status: VERIFIED FIXED
Alias: None
Product: SUSE LINUX 10.0
Classification: openSUSE
Component: Basesystem (show other bugs)
Version: RC 4
Hardware: Other Other
: P5 - None : Critical
Target Milestone: ---
Assignee: Mads Martin Joergensen
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-10-19 16:10 UTC by Dirk Mueller
Modified: 2005-11-03 09:50 UTC (History)
2 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Mueller 2005-10-19 16:10:43 UTC 
$ ip route show src 10.10.2.227 
*** buffer overflow detected ***: ip terminated 
Aborted 
 
where 10.10.2.227 is your own ip
Comment 1 Mads Martin Joergensen 2005-10-20 13:36:51 UTC 
Fixed in STABLE
Comment 2 Mads Martin Joergensen 2005-10-20 13:43:55 UTC 
Anja, I need a SWAMP id for making a bugfix update for 10.0. It's obviously
correct.

The patch is this:
-     memcpy(&via.data, RTA_DATA(tb[RTA_GATEWAY]), host_len);
+     memcpy(&via.data, RTA_DATA(tb[RTA_GATEWAY]), host_len/8);

and

-     memcpy(&prefsrc.data, RTA_DATA(tb[RTA_PREFSRC]), host_len);
+     memcpy(&prefsrc.data, RTA_DATA(tb[RTA_PREFSRC]), host_len/8);

They're overflowing the struct, because memcpy takes bytes and host_len is bits.
Comment 3 Dirk Mueller 2005-10-20 13:46:07 UTC 
do you already have a fixed package? I'd like to test it on the live system
Comment 4 Mads Martin Joergensen 2005-10-20 13:54:42 UTC 
/work/built/mbuild/pothole-mmj-1/10.0-i386/iproute2-2.6.13-2.1.i586.rpm
Comment 5 Mads Martin Joergensen 2005-10-21 12:11:21 UTC 
Dirk, did you verify it works?
Comment 6 Dirk Mueller 2005-10-21 16:22:50 UTC 
works fine, can't find any further problems
Comment 7 Mads Martin Joergensen 2005-10-21 16:25:36 UTC 
Andreas I need a SWAMP id for a bugfix update for 10.0.
Comment 8 Andreas Jaeger 2005-10-26 06:40:25 UTC 
Approved, Maintenance-Tracker-2678
Comment 9 Mads Martin Joergensen 2005-11-01 13:05:51 UTC 
Fixed and submitted for 10.0
Comment 10 Anja Stock 2005-11-03 09:50:05 UTC 
released