overflow in reports with long DNS names
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mtr (Ubuntu) |
Fix Released
|
Low
|
Kees Cook | ||
Bug Description
Binary package hint: mtr
David Leadbeater reports:
> Basically the buffer returned from DNS is used in a sprintf which if
> the reverse DNS is long enough will overflow.
>
> split.c:103:
> name = dns_lookup(addr);
> if(name != NULL) {
> /* May be we should test name's length */
> sprintf(newLine, "%s %d %d %d %d %d %d", name,
>
> (I'd definitely agree with whoever wrote that comment.)
>
> $ mtr -p 192.168.1.1
> 1 192.168.91.254 0 1 1 0 0 0
> 1
this.is.
veryveryvery.
> 2 ???
> *** stack smashing detected ***: mtr terminated
Additionally:
> I also spotted a another thing. There's a bug in the XML output where
> if there are any dropped packets a null pointer dereference can occur
> (run mtr -x and look for the (null), that is actually meaning 0
> dropped packets, if any are actually dropped it will segfault).
Related branches
CVE References
Changed in mtr: | |
assignee: | nobody → keescook |
importance: | Undecided → Low |
This bug was fixed in the package mtr - 0.72-2ubuntu1
---------------
mtr (0.72-2ubuntu1) hardy; urgency=low
* split.c: bounds-check domain name copying (LP: #206071).
-- Kees Cook <email address hidden> Sun, 30 Mar 2008 21:22:25 -0700