Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 336605 - net-analyzer/tcpreplay _FORTIFY_SOURCE indicates presence of overflow
Summary: net-analyzer/tcpreplay _FORTIFY_SOURCE indicates presence of overflow
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Netmon Herd
URL: http://tcpreplay.synfin.net/changeset...
Whiteboard:
Keywords:
Depends on:
Blocks: fortify-source
  Show dependency tree
 
Reported: 2010-09-09 14:46 UTC by Diego Elio Pettenò (RETIRED)
Modified: 2012-09-22 11:20 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Build log (tcpreplay-3.4.4:20100909-011432.log,75.60 KB, text/plain)
2010-09-09 14:46 UTC, Diego Elio Pettenò (RETIRED)
Details
Patch to tcpreplay-3.4.4.ebuild to add sed statement to fix overflow (tcpreplay-3.4.4.ebuild.patch,379 bytes, patch)
2010-09-11 05:43 UTC, Kevin Pyle
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Diego Elio Pettenò (RETIRED) gentoo-dev 2010-09-09 14:46:27 UTC
You're receiving this bug because the package in Summary has produced _FORTIFY_SOURCE related warnings indicating the presence of a sure overflow in a static buffer.

Even though this is not always an indication of a security problem it might even be. So please check this out ASAP.

By the way, _FORTIFY_SOURCE is disabled when you disable optimisation, so don't try finding out the cause using -O0.

Thanks,
Your friendly neighborhood tinderboxer
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-09-09 14:46:59 UTC
Created attachment 246603 [details]
Build log
Comment 2 Kevin Pyle 2010-09-11 05:43:24 UTC
Created attachment 246800 [details, diff]
Patch to tcpreplay-3.4.4.ebuild to add sed statement to fix overflow

Upstream declares a char ipaddr[16], then tells snprintf that the length is 17.  This sed bumps the buffer up to char ipaddr[20].
Comment 3 Jeroen Roovers gentoo-dev 2010-10-29 05:24:44 UTC
Looks like it's fixed in 3.4.5beta2 and in the URL. Maybe we can introduce that patch or get 3.4.5_beta2 in the tree. Or wait for the final 3.4.5.
Comment 4 Jeroen Roovers gentoo-dev 2010-10-29 06:04:48 UTC
3.4.5_beta2 is in the tree.
Comment 5 Jeroen Roovers gentoo-dev 2010-10-29 17:16:52 UTC
Index: package.mask
===================================================================
RCS file: /var/cvsroot/gentoo-x86/profiles/package.mask,v
retrieving revision 1.12116
retrieving revision 1.12117
diff -u -B -r1.12116 -r1.12117
--- package.mask        29 Oct 2010 10:15:28 -0000      1.12116
+++ package.mask        29 Oct 2010 13:16:33 -0000      1.12117
@@ -1,5 +1,5 @@
 ####################################################################
-# $Header: /var/cvsroot/gentoo-x86/profiles/package.mask,v 1.12116 2010/10/29 10:15:28
 ssuominen Exp $                                                                       +# $Header: /var/cvsroot/gentoo-x86/profiles/package.mask,v 1.12117 2010/10/29 13:16:33
 pva Exp $                                                                              #
 # When you add an entry to the top of this file, add your name, the date, and
 # an explanation of why something is getting masked. Please be extremely
@@ -31,6 +31,10 @@
 
 #--- END OF EXAMPLES ---
 
+# Peter Volkov <pva@gentoo.org> (29 Oct 2010)
+# mask beta release
+=net-analyzer/tcpreplay-3.4.5*
+
 # Samuli Suominen <ssuominen@gentoo.org> (29 Oct 2010)
 # freqtweak, bug 336160, uses obsolete wxgtk
 # mplinuxman, bug 338863, for old MP3 players, overflows buffers
Comment 6 Pacho Ramos gentoo-dev 2012-03-19 11:41:10 UTC
Could the patch be applied to 3.4.4 then?
Comment 7 Pacho Ramos gentoo-dev 2012-09-22 11:20:29 UTC
*tcpreplay-3.4.4-r1 (29 Oct 2010)

  29 Oct 2010; Peter Volkov <pva@gentoo.org> +tcpreplay-3.4.4-r1.ebuild,
  +files/tcpreplay-3.4.4-crash.patch:
  Fix buffer overflow (bug #336605) in stable version.