[SCM] GNU Inetutils branch, master, updated. inetutils-1_9

commit-inetutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_4-74-gda919d

From:	Mats Erik Andersson
Subject:	[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_4-74-gda919de
Date:	Tue, 4 Feb 2020 08:41:05 -0500 (EST)

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU Inetutils ".

The branch, master has been updated
       via  da919de3f4d778c250550f68fdf03b4540e8aa28 (commit)
      from  60d0f2ec4eb0f14765d40a58ab0e556ef6de58cb (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=da919de3f4d778c250550f68fdf03b4540e8aa28


commit da919de3f4d778c250550f68fdf03b4540e8aa28
Author: Mats Erik Andersson <address@hidden>
Date:   Tue Feb 4 11:47:34 2020 +0100

    Buffer overflow in tftp and tftpd.
    
    Recent Gnu libc and Gcc inject checks for buffer size into strcpy().
    These interfere with declarations in <arpa/tftp.h>.  Issue was reported
    independently by Mike Gilbert and Ricardo Ribalda Delgado.

diff --git a/ChangeLog b/ChangeLog
index 3b625d8..9640887 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,20 @@
+2020-02-04  Mats Erik Andersson  <address@hidden>
+
+       Buffer overflow in tftp and tftpd.
+       Recent versions of Gnu libc and Gcc are injecting buffer checks
+       into strcpy().  Both executables, tftp and tftpd, are effectively
+       copying into a formally declared `char th_msg[1]', ignorant of
+       the underlying buffer being of size PKTSIZE.
+       Problem was reported by Mike Gilbert and Ricardo Ribalda Delgado:
+       https://lists.gnu.org/archive/html/bug-inetutils/2017-12/msg00001.html
+       https://lists.gnu.org/archive/html/bug-inetutils/2019-07/msg00002.html
+
+       * src/tftp.c (nak): Replace strcpy() by memcpy(), after the
+       needed calculation of string length.
+       * src/tftpd.c (nak): Likewise.
+
+       * tests/tftp.sh: New compound test with multiple requests.
+
 2020-02-03  Mats Erik Andersson  <address@hidden>
 
        whois: AUDA services Australia.
diff --git a/src/tftp.c b/src/tftp.c
index d9a0f9e..e44dd58 100644
--- a/src/tftp.c
+++ b/src/tftp.c
@@ -1294,8 +1294,8 @@ nak (int error)
       pe->e_msg = strerror (error - 100);
       tp->th_code = EUNDEF;
     }
-  strcpy (tp->th_msg, pe->e_msg);
   length = strlen (pe->e_msg) + 4;
+  memcpy (tp->th_msg, pe->e_msg, length - 3);
   if (trace)
     tpacket ("sent", tp, length);
   if (sendto (f, ackbuf, length, 0, (struct sockaddr *) &peeraddr,
diff --git a/src/tftpd.c b/src/tftpd.c
index ba51f24..0e485d4 100644
--- a/src/tftpd.c
+++ b/src/tftpd.c
@@ -862,8 +862,8 @@ nak (int error)
       pe->e_msg = strerror (error - 100);
       tp->th_code = EUNDEF;    /* set 'undef' errorcode */
     }
-  strcpy (tp->th_msg, pe->e_msg);
   length = strlen (pe->e_msg);
+  memcpy (tp->th_msg, pe->e_msg, length);
   tp->th_msg[length] = '\0';
   length += 5;
   if (sendto (peer, buf, length, 0, (struct sockaddr *) &from, fromlen) != 
length)
diff --git a/tests/tftp.sh b/tests/tftp.sh
index 47c123d..d4d58b9 100755
--- a/tests/tftp.sh
+++ b/tests/tftp.sh
@@ -386,7 +386,42 @@ get $name" | \
            SUCCESSES=`expr $SUCCESSES + 1`
            test -z "$VERBOSE" || echo "Successful comparison for $addr/$name." 
>&2
        fi
-   done
+    done
+
+    # Do a compound test with multiple requests.
+    # Issue one request for locally renamed file.
+    rm -f file-small _file-small_ missing-file
+    EFFORTS=`expr $EFFORTS + 1`
+
+    cat <<-EOT |
+       binary
+       get file-small
+       get missing-file
+       get file-small _file-small_
+       quit
+       EOT
+    eval $TFTP ${VERBOSE:+-v} "$addr" $PORT $bucket
+
+    if cmp "$TMPDIR/tftp-test/file-small" file-small 2>/dev/null \
+       && test ! -s missing-file \
+       && cmp "$TMPDIR/tftp-test/file-small" _file-small_ 2>/dev/null
+    then
+       SUCCESSES=`expr $SUCCESSES + 1`
+       test -z "$VERBOSE" || echo "Successful compound test." >&2
+    else
+       echo "Failure during compound test." >&2
+
+       # Investigate probable causes.
+       test -s _file-small_ ||
+           echo "Third get request failed after file known to be missing." >&2
+       { test ! -f missing-file || test -s missing-file ; } &&
+           echo "The missing file did not appear as empty." >&1
+       test -s file-small ||
+           echo "Not even the first request succeeded." >&2
+       RESULT=1
+    fi
+
+    rm -f file-small _file-small_ missing-file
 done
 
 # Test the ability of inetd to reload configuration:

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog     | 17 +++++++++++++++++
 src/tftp.c    |  2 +-
 src/tftpd.c   |  2 +-
 tests/tftp.sh | 37 ++++++++++++++++++++++++++++++++++++-
 4 files changed, 55 insertions(+), 3 deletions(-)


hooks/post-receive
-- 
GNU Inetutils

[Prev in Thread]

Current Thread

[Next in Thread]

[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_4-74-gda919de, Mats Erik Andersson <=

Prev by Date: [SCM] GNU Inetutils branch, master, updated. inetutils-1_9_4-73-g60d0f2e
Next by Date: Important request, participation in software development study
Previous by thread: [SCM] GNU Inetutils branch, master, updated. inetutils-1_9_4-73-g60d0f2e
Next by thread: Important request, participation in software development study
Index(es):
- Date
- Thread