The tftp client is aborted due to a buffer overflow when trying to "put" files. Ubuntu have a patch mentioned at https://launchpad.net/ubuntu/+source/tftp-hpa/+changelog Did not manage to get the original patch, but reversed it from the package changelog diff at http://launchpadlibrarian.net/65402494/tftp-hpa_5.0-21ubuntu1_5.0-21ubuntu2.diff.gz Reproducible: Always Steps to Reproduce: 1. echo -e "binary\nrexmt 1\ntimeout 60\ntrace\nput a\n" | tftp 192.168.1.1 Actual Results: tftp 192.168.1.1 tftp> binary tftp> rexmt 1 tftp> timeout 60 tftp> trace Packet tracing on. tftp> put a *** buffer overflow detected ***: tftp terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x7f64c6290ed7] /lib64/libc.so.6(+0xead30)[0x7f64c628ed30] tftp[0x401ba1] tftp[0x402087] tftp[0x403c47] /lib64/libc.so.6(__libc_start_main+0xfd)[0x7f64c61c2ebd] tftp[0x401a89] ======= Memory map: ======== 00400000-00407000 r-xp 00000000 09:07 4629698 /usr/bin/tftp 00606000-00607000 r--p 00006000 09:07 4629698 /usr/bin/tftp 00607000-00608000 rw-p 00007000 09:07 4629698 /usr/bin/tftp 00608000-0066a000 rw-p 00000000 00:00 0 [heap] 7f64c561a000-7f64c562f000 r-xp 00000000 09:07 11084033 /lib64/libgcc_s.so.1 7f64c562f000-7f64c582e000 ---p 00015000 09:07 11084033 /lib64/libgcc_s.so.1 7f64c582e000-7f64c582f000 r--p 00014000 09:07 11084033 /lib64/libgcc_s.so.1 7f64c582f000-7f64c5830000 rw-p 00015000 09:07 11084033 /lib64/libgcc_s.so.1 7f64c5830000-7f64c5b3e000 r--p 00000000 09:07 1591454 /usr/lib64/locale/locale-archive 7f64c5b3e000-7f64c5b4a000 r-xp 00000000 09:07 2802717 /lib64/libnss_files-2.13.so 7f64c5b4a000-7f64c5d49000 ---p 0000c000 09:07 2802717 /lib64/libnss_files-2.13.so 7f64c5d49000-7f64c5d4a000 r--p 0000b000 09:07 2802717 /lib64/libnss_files-2.13.so 7f64c5d4a000-7f64c5d4b000 rw-p 0000c000 09:07 2802717 /lib64/libnss_files-2.13.so 7f64c5d4b000-7f64c5d4d000 r-xp 00000000 09:07 2802710 /lib64/libdl-2.13.so 7f64c5d4d000-7f64c5f4d000 ---p 00002000 09:07 2802710 /lib64/libdl-2.13.so 7f64c5f4d000-7f64c5f4e000 r--p 00002000 09:07 2802710 /lib64/libdl-2.13.so 7f64c5f4e000-7f64c5f4f000 rw-p 00003000 09:07 2802710 /lib64/libdl-2.13.so 7f64c5f4f000-7f64c5f9e000 r-xp 00000000 09:07 6146354 /lib64/libncurses.so.5.9 7f64c5f9e000-7f64c619e000 ---p 0004f000 09:07 6146354 /lib64/libncurses.so.5.9 7f64c619e000-7f64c61a2000 r--p 0004f000 09:07 6146354 /lib64/libncurses.so.5.9 7f64c61a2000-7f64c61a3000 rw-p 00053000 09:07 6146354 /lib64/libncurses.so.5.9 7f64c61a3000-7f64c61a4000 rw-p 00000000 00:00 0 7f64c61a4000-7f64c6326000 r-xp 00000000 09:07 2802730 /lib64/libc-2.13.so 7f64c6326000-7f64c6525000 ---p 00182000 09:07 2802730 /lib64/libc-2.13.so 7f64c6525000-7f64c6529000 r--p 00181000 09:07 2802730 /lib64/libc-2.13.so 7f64c6529000-7f64c652a000 rw-p 00185000 09:07 2802730 /lib64/libc-2.13.so 7f64c652a000-7f64c652f000 rw-p 00000000 00:00 0 7f64c652f000-7f64c656d000 r-xp 00000000 09:07 6163791 /lib64/libreadline.so.6.2 7f64c656d000-7f64c676c000 ---p 0003e000 09:07 6163791 /lib64/libreadline.so.6.2 7f64c676c000-7f64c676e000 r--p 0003d000 09:07 6163791 /lib64/libreadline.so.6.2 7f64c676e000-7f64c6774000 rw-p 0003f000 09:07 6163791 /lib64/libreadline.so.6.2 7f64c6774000-7f64c6776000 rw-p 00000000 00:00 0 7f64c6776000-7f64c6795000 r-xp 00000000 09:07 2802729 /lib64/ld-2.13.so 7f64c6953000-7f64c6957000 rw-p 00000000 00:00 0 7f64c698b000-7f64c698d000 rw-p 00000000 00:00 0 7f64c698d000-7f64c6994000 r--s 00000000 09:07 2393513 /usr/lib64/gconv/gconv-modules.cache 7f64c6994000-7f64c6995000 rw-p 00000000 00:00 0 7f64c6995000-7f64c6996000 r--p 0001f000 09:07 2802729 /lib64/ld-2.13.so 7f64c6996000-7f64c6997000 rw-p 00020000 09:07 2802729 /lib64/ld-2.13.so 7f64c6997000-7f64c6998000 rw-p 00000000 00:00 0 7fff57031000-7fff57053000 rw-p 00000000 00:00 0 [stack] 7fff5709e000-7fff5709f000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Aborted Expected Results: tftp> binary tftp> rexmt 1 tftp> timeout 60 tftp> trace Packet tracing on. tftp> put a sent WRQ <file=a, mode=octet> sent WRQ <file=a, mode=octet> sent WRQ <file=a, mode=octet> sent WRQ <file=a, mode=octet> .... sys-libs/glibc-2.13-r4
Created attachment 280041 [details, diff] Buffer overflow patch from Ubuntu
Created attachment 280043 [details, diff] Patch for the ebuild to use the memcpy patch
tftp failed # echo -e "binary\nrexmt 1\ntimeout 60\ntrace\nget wdsnbp.com\n" | tftp 192.168.0.92 tftp> binary tftp> rexmt 1 tftp> timeout 60 tftp> trace Packet tracing on. tftp> get wdsnbp.com *** buffer overflow detected ***: tftp terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x7f8ca500cd47] /lib64/libc.so.6(+0xf7bc0)[0x7f8ca500abc0] tftp[0x4020d1] tftp[0x402b1d] tftp[0x401c7a] /lib64/libc.so.6(__libc_start_main+0xed)[0x7f8ca4f342fd] tftp[0x401fd9] ======= Memory map: ======== 00400000-00407000 r-xp 00000000 08:03 39012 /usr/bin/tftp 00606000-00607000 r--p 00006000 08:03 39012 /usr/bin/tftp 00607000-00608000 rw-p 00007000 08:03 39012 /usr/bin/tftp 00608000-0066a000 rw-p 00000000 00:00 0 [heap] 7f8ca4043000-7f8ca4058000 r-xp 00000000 08:03 2117863 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1 7f8ca4058000-7f8ca4257000 ---p 00015000 08:03 2117863 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1 7f8ca4257000-7f8ca4258000 r--p 00014000 08:03 2117863 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1 7f8ca4258000-7f8ca4259000 rw-p 00015000 08:03 2117863 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1 7f8ca4259000-7f8ca48ae000 r--p 00000000 08:03 107790 /usr/lib64/locale/locale-archive 7f8ca48ae000-7f8ca48ba000 r-xp 00000000 08:03 665772 /lib64/libnss_files-2.13.so 7f8ca48ba000-7f8ca4ab9000 ---p 0000c000 08:03 665772 /lib64/libnss_files-2.13.so 7f8ca4ab9000-7f8ca4aba000 r--p 0000b000 08:03 665772 /lib64/libnss_files-2.13.so 7f8ca4aba000-7f8ca4abb000 rw-p 0000c000 08:03 665772 /lib64/libnss_files-2.13.so 7f8ca4abb000-7f8ca4abd000 r-xp 00000000 08:03 667043 /lib64/libdl-2.13.so 7f8ca4abd000-7f8ca4cbd000 ---p 00002000 08:03 667043 /lib64/libdl-2.13.so 7f8ca4cbd000-7f8ca4cbe000 r--p 00002000 08:03 667043 /lib64/libdl-2.13.so 7f8ca4cbe000-7f8ca4cbf000 rw-p 00003000 08:03 667043 /lib64/libdl-2.13.so 7f8ca4cbf000-7f8ca4d0e000 r-xp 00000000 08:03 665550 /lib64/libncurses.so.5.9 7f8ca4d0e000-7f8ca4f0d000 ---p 0004f000 08:03 665550 /lib64/libncurses.so.5.9 7f8ca4f0d000-7f8ca4f11000 r--p 0004e000 08:03 665550 /lib64/libncurses.so.5.9 7f8ca4f11000-7f8ca4f12000 rw-p 00052000 08:03 665550 /lib64/libncurses.so.5.9 7f8ca4f12000-7f8ca4f13000 rw-p 00000000 00:00 0 7f8ca4f13000-7f8ca50a8000 r-xp 00000000 08:03 667052 /lib64/libc-2.13.so 7f8ca50a8000-7f8ca52a7000 ---p 00195000 08:03 667052 /lib64/libc-2.13.so 7f8ca52a7000-7f8ca52ab000 r--p 00194000 08:03 667052 /lib64/libc-2.13.so 7f8ca52ab000-7f8ca52ac000 rw-p 00198000 08:03 667052 /lib64/libc-2.13.so 7f8ca52ac000-7f8ca52b2000 rw-p 00000000 00:00 0 7f8ca52b2000-7f8ca52ef000 r-xp 00000000 08:03 665443 /lib64/libreadline.so.6.2 7f8ca52ef000-7f8ca54ef000 ---p 0003d000 08:03 665443 /lib64/libreadline.so.6.2 7f8ca54ef000-7f8ca54f1000 r--p 0003d000 08:03 665443 /lib64/libreadline.so.6.2 7f8ca54f1000-7f8ca54f7000 rw-p 0003f000 08:03 665443 /lib64/libreadline.so.6.2 7f8ca54f7000-7f8ca54f9000 rw-p 00000000 00:00 0 7f8ca54f9000-7f8ca5519000 r-xp 00000000 08:03 667051 /lib64/ld-2.13.so 7f8ca56d9000-7f8ca56dd000 rw-p 00000000 00:00 0 7f8ca570f000-7f8ca5710000 rw-p 00000000 00:00 0 7f8ca5710000-7f8ca5717000 r--s 00000000 08:03 115386 /usr/lib64/gconv/gconv-modules.cache 7f8ca5717000-7f8ca5719000 rw-p 00000000 00:00 0 7f8ca5719000-7f8ca571a000 r--p 00020000 08:03 667051 /lib64/ld-2.13.so 7f8ca571a000-7f8ca571b000 rw-p 00021000 08:03 667051 /lib64/ld-2.13.so 7f8ca571b000-7f8ca571c000 rw-p 00000000 00:00 0 7fff9e3ee000-7fff9e410000 rw-p 00000000 00:00 0 [stack] 7fff9e4bc000-7fff9e4bd000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] 已放弃 gentoo shm # ls p portage pulse-shm-1883080623 pulse-shm-3653517906 pulse-shm-979569134 tftp> wdsnbp.com gentoo shm # echo -e "binary\nrexmt 1\ntimeout 60\ntrace\nput p\n" | tftp 192.168.0.92 tftp> binary tftp> rexmt 1 tftp> timeout 60 tftp> trace Packet tracing on. tftp> put p *** buffer overflow detected ***: tftp terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x7fd4e930dd47] /lib64/libc.so.6(+0xf7bc0)[0x7fd4e930bbc0] tftp[0x4020d1] tftp[0x4025ae] tftp[0x401c7a] /lib64/libc.so.6(__libc_start_main+0xed)[0x7fd4e92352fd] tftp[0x401fd9] ======= Memory map: ======== 00400000-00407000 r-xp 00000000 08:03 39012 /usr/bin/tftp 00606000-00607000 r--p 00006000 08:03 39012 /usr/bin/tftp 00607000-00608000 rw-p 00007000 08:03 39012 /usr/bin/tftp 00608000-0066a000 rw-p 00000000 00:00 0 [heap] 7fd4e8344000-7fd4e8359000 r-xp 00000000 08:03 2117863 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1 7fd4e8359000-7fd4e8558000 ---p 00015000 08:03 2117863 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1 7fd4e8558000-7fd4e8559000 r--p 00014000 08:03 2117863 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1 7fd4e8559000-7fd4e855a000 rw-p 00015000 08:03 2117863 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1 7fd4e855a000-7fd4e8baf000 r--p 00000000 08:03 107790 /usr/lib64/locale/locale-archive 7fd4e8baf000-7fd4e8bbb000 r-xp 00000000 08:03 665772 /lib64/libnss_files-2.13.so 7fd4e8bbb000-7fd4e8dba000 ---p 0000c000 08:03 665772 /lib64/libnss_files-2.13.so 7fd4e8dba000-7fd4e8dbb000 r--p 0000b000 08:03 665772 /lib64/libnss_files-2.13.so 7fd4e8dbb000-7fd4e8dbc000 rw-p 0000c000 08:03 665772 /lib64/libnss_files-2.13.so 7fd4e8dbc000-7fd4e8dbe000 r-xp 00000000 08:03 667043 /lib64/libdl-2.13.so 7fd4e8dbe000-7fd4e8fbe000 ---p 00002000 08:03 667043 /lib64/libdl-2.13.so 7fd4e8fbe000-7fd4e8fbf000 r--p 00002000 08:03 667043 /lib64/libdl-2.13.so 7fd4e8fbf000-7fd4e8fc0000 rw-p 00003000 08:03 667043 /lib64/libdl-2.13.so 7fd4e8fc0000-7fd4e900f000 r-xp 00000000 08:03 665550 /lib64/libncurses.so.5.9 7fd4e900f000-7fd4e920e000 ---p 0004f000 08:03 665550 /lib64/libncurses.so.5.9 7fd4e920e000-7fd4e9212000 r--p 0004e000 08:03 665550 /lib64/libncurses.so.5.9 7fd4e9212000-7fd4e9213000 rw-p 00052000 08:03 665550 /lib64/libncurses.so.5.9 7fd4e9213000-7fd4e9214000 rw-p 00000000 00:00 0 7fd4e9214000-7fd4e93a9000 r-xp 00000000 08:03 667052 /lib64/libc-2.13.so 7fd4e93a9000-7fd4e95a8000 ---p 00195000 08:03 667052 /lib64/libc-2.13.so 7fd4e95a8000-7fd4e95ac000 r--p 00194000 08:03 667052 /lib64/libc-2.13.so 7fd4e95ac000-7fd4e95ad000 rw-p 00198000 08:03 667052 /lib64/libc-2.13.so 7fd4e95ad000-7fd4e95b3000 rw-p 00000000 00:00 0 7fd4e95b3000-7fd4e95f0000 r-xp 00000000 08:03 665443 /lib64/libreadline.so.6.2 7fd4e95f0000-7fd4e97f0000 ---p 0003d000 08:03 665443 /lib64/libreadline.so.6.2 7fd4e97f0000-7fd4e97f2000 r--p 0003d000 08:03 665443 /lib64/libreadline.so.6.2 7fd4e97f2000-7fd4e97f8000 rw-p 0003f000 08:03 665443 /lib64/libreadline.so.6.2 7fd4e97f8000-7fd4e97fa000 rw-p 00000000 00:00 0 7fd4e97fa000-7fd4e981a000 r-xp 00000000 08:03 667051 /lib64/ld-2.13.so 7fd4e99da000-7fd4e99de000 rw-p 00000000 00:00 0 7fd4e9a10000-7fd4e9a11000 rw-p 00000000 00:00 0 7fd4e9a11000-7fd4e9a18000 r--s 00000000 08:03 115386 /usr/lib64/gconv/gconv-modules.cache 7fd4e9a18000-7fd4e9a1a000 rw-p 00000000 00:00 0 7fd4e9a1a000-7fd4e9a1b000 r--p 00020000 08:03 667051 /lib64/ld-2.13.so 7fd4e9a1b000-7fd4e9a1c000 rw-p 00021000 08:03 667051 /lib64/ld-2.13.so 7fd4e9a1c000-7fd4e9a1d000 rw-p 00000000 00:00 0 7fff54eb4000-7fff54ed6000 rw-p 00000000 00:00 0 [stack] 7fff54f3b000-7fff54f3c000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] 已放弃
Created attachment 281673 [details, diff] patch patch use-memcpy-for-header.patch
problem confirmed here. The patch works fine, please get it into the tree until upstream fixes it.
Comment on attachment 280041 [details, diff] Buffer overflow patch from Ubuntu this patch doesnt apply to tftp-hpa-5.1 as it seems to already be included
Comment on attachment 280043 [details, diff] Patch for the ebuild to use the memcpy patch since the patch doesnt apply, i dont see how this ebuild would work
Comment on attachment 281673 [details, diff] patch this patch doesnt make any sense to me old code: strcpy(cp, name); cp += strlen(name); *cp++ = '\0'; strcpy(cp, mode); cp += strlen(mode); *cp++ = '\0'; new code: len = strlen(name); memcpy(cp, name, len); cp += len; *cp++ = '\0'; len = strlen(mode); memcpy(cp, mode, len); cp += len; *cp++ = '\0'; seems to end up at the exact same place: cp has all the bytes of "name" copied to it, followed by a NUL char, followed by all the bytes of "mode", followed by a NUL char. to put it a different way, these sets of statements are equivalent: strcpy(cp, name); cp += strlen(name); *cp++ = '\0'; len = strlen(name); memcpy(cp, name, len); cp += len; *cp++ = '\0';
(In reply to comment #8) > Comment on attachment 281673 [details, diff] > patch > > this patch doesnt make any sense to me I agree with your analysis that the patch apparently does not change the meaning of the code, yet it definitely eliminates the runtime failure. I suspect the use of strcpy triggers the compiler to insert the stack smash detector logic, whereas the use of memcpy does not. In other words, this patch doesn't actually fix the underlying problem but merely disables the code that detects it. Even so, since this is the difference between being able to use tftp-hpa and not, and since Ubuntu/Debian have included this patch, I request that the patch be added to the ebuild in Portage.
Looks like an off-by-one bug: when using strcpy() the final '\0' is added by strcpy(), and since it's off by one byte, it'll report as a buffer overflow. On the other hand, when using memcpy(), it stops _before_ the final '\0' that is instead added with *cp++ (which does not trigger fortification). Basically means that Ubuntu went for a convoluted workaround because they couldn't tell how to properly fix this...
Mike, this looks almost identical to the issue with Wine's variable-sized data structures, as th_stuff is declared as char[1] in the /usr/include/arpa/tftp.h header .. you might want to look at that?
thanks, i'll look in that direction. this makes it sound like there isn't an actual security concern.
*** This bug has been marked as a duplicate of bug 357083 ***