Bug#528675: libnet-arp-perl: Buffer overflow in get_mac_linux()

Franck Joncourt franck.mail at dthconnex.com
Thu May 14 18:24:56 UTC 2009 

Michael Bienia wrote:
> Hello,

Hi,

> libnet-arp-perl fails to build in Ubuntu karmic because of a buffer
> overflow in get_mac_linux():
> 
> t/get_mac........*** buffer overflow detected ***: /usr/bin/perl terminated
> ======= Backtrace: =========
> /lib/libc.so.6(__fortify_fail+0x4b)[0x4014c97b]
> /lib/libc.so.6[0x4014a9c0]
> /lib/libc.so.6(__strcpy_chk+0x44)[0x40149cf4]
> /build/buildd/libnet-arp-perl-1.0.3/blib/arch/auto/Net/ARP/ARP.so(get_mac_linux+0x7c)[0x401e2afc]
> /build/buildd/libnet-arp-perl-1.0.3/blib/arch/auto/Net/ARP/ARP.so(XS_Net__ARP_get_mac+0x1d5)[0x401e1d15]
> /usr/bin/perl(Perl_pp_entersub+0x552)[0x80b3c92]
> /usr/bin/perl(Perl_runops_standard+0x19)[0x80b2069]
> /usr/bin/perl(perl_run+0x2e0)[0x80b04d0]
> /usr/bin/perl(main+0xed)[0x8063ebd]
> /lib/libc.so.6(__libc_start_main+0xe5)[0x4007c775]
> /usr/bin/perl[0x8063d31]
> 
> The upstream "Changes" file talks about a fix for a buffer overflow in
> get_mac_linux() but when I compared the version 1.0.2 and 1.0.3 (or even
> 1.0.4) I couldn't find any changes for this.

Yes, I mentionned it on CPAN :

http://rt.cpan.org:80/Public/Bug/Display.html?id=45126

and unfortunately this has not been fixed in 1.04.
The patch I submitted made rather minimal changes (only wanted to fix my
problem without updating anything else), but I sent upstream another
patch with more changes which fixed this in a better way along with
other stuff.

I am still waiting for a reply. :)

> Attached is a small patch which fixes this by ensuring that not more
> data is copied into the interface name buffer than fits in.

+-  strcpy(iface.ifr_name,dev);
++  strncpy(iface.ifr_name, dev, IFNAMSIZ);
++  iface.ifr_name[IFNAMSIZ] = '\0';

You may want to use this instead:

+-  strcpy(iface.ifr_name,dev);
++  strncpy(iface.ifr_name, dev, IFNAMSIZ);
++  iface.ifr_name[IFNAMSIZ-1] = '\0';

I will add a patch this week end to fix all the overflows.

Regards,

-- 
Franck Joncourt
http://debian.org - http://smhteam.info/wiki/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20090514/9b52faea/attachment.pgp>

More information about the pkg-perl-maintainers mailing list