Re: Heap-based Buffer Overflow in logger

bug-inetutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heap-based Buffer Overflow in logger

From:	Simon Josefsson
Subject:	Re: Heap-based Buffer Overflow in logger
Date:	Thu, 07 Jul 2022 23:49:30 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)

AiDai <wyxaidai@gmail.com> writes:

> 0x60c00000003f is located 1 bytes to the left of 120-byte region

Nice catch!  Reproducing it is easy:

jas@latte:~/src/inetutils$ valgrind src/logger -s ''
...
==339979== Invalid read of size 1
==339979==    at 0x10AA71: send_to_syslog (logger.c:329)
==339979==    by 0x10A5CD: main (logger.c:504)
==339979==  Address 0x4a343ef is 1 bytes before a block of size 1 alloc'd
==339979==    at 0x483877F: malloc (vg_replace_malloc.c:307)
==339979==    by 0x10CB08: xmalloc (xmalloc.c:44)
==339979==    by 0x10A57D: main (logger.c:494)

Writing a self-check for it is harder though, since the tool doesn't
crash.

Fixed by this patch:

https://git.savannah.gnu.org/gitweb/?p=inetutils.git;a=commitdiff;h=8e0df0e80b156a09ff361050bac38bbdcda03aef

/Simon

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Heap-based Buffer Overflow in logger, Simon Josefsson <=

Prev by Date: Re: NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227
Next by Date: Re: Supported TLDs
Previous by thread: Re: NULL Pointer Dereference in setcmd () at commands.c:1152
Next by thread: Re: Supported TLDs
Index(es):
- Date
- Thread