FS#28103 : [tftp-hpa] tftp client buffer overflow crash

FS#28103 - [tftp-hpa] tftp client buffer overflow crash

Attached to Project: Arch Linux
Opened by Julien Nicoulaud (nicoulaj) - Wednesday, 25 January 2012, 19:49 GMT
Last edited by Tobias Powalowski (tpowa) - Friday, 02 March 2012, 09:20 GMT

Task Type	Bug Report
Category	Packages: Extra
Status	Closed
Assigned To	Tobias Powalowski (tpowa)
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	3 Jonathan Frazier (wide-eye) (2012-02-13) elf Pavlik (elf-pavlik) (2012-02-10) Julien Nicoulaud (nicoulaj) (2012-01-25)
Private	No

Details

Description:
Using the tftp client on a local server, any "put" or "get" operation makes it crash with a buffer overflow error.

Additional info:
* package version(s)
* config and/or log files etc.
5.2

Tested with an atftp server (from AUR), crashes as well. Also tested with tftp servers hosted on Ubuntu and CentOS boxes, crashes too.

Steps to reproduce:
$ sudo pacman -S tftp-hpa
$ sudo touch /var/tftpboot/test
$ sudo rc.d start tftpd
$ tftp localhost
tftp> get test
*** buffer overflow detected ***: tftp terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7f9597722e27]
/lib/libc.so.6(+0xf5db0)[0x7f9597720db0]
tftp[0x401ce1]
tftp[0x40275d]
tftp[0x40188a]
/lib/libc.so.6(__libc_start_main+0xed)[0x7f959764c38d]
tftp[0x401be9]
======= Memory map: ========
00400000-00406000 r-xp 00000000 08:16 1070356 /usr/bin/tftp
00605000-00606000 r--p 00005000 08:16 1070356 /usr/bin/tftp
00606000-00607000 rw-p 00006000 08:16 1070356 /usr/bin/tftp
00607000-00627000 rw-p 00000000 00:00 0
013c7000-0142a000 rw-p 00000000 00:00 0 [heap]
7f9596f83000-7f9596f98000 r-xp 00000000 08:16 1049069 /usr/lib/libgcc_s.so.1
7f9596f98000-7f9597198000 ---p 00015000 08:16 1049069 /usr/lib/libgcc_s.so.1
7f9597198000-7f9597199000 rw-p 00015000 08:16 1049069 /usr/lib/libgcc_s.so.1
7f95971c1000-7f95971cd000 r-xp 00000000 08:16 659849 /lib/libnss_files-2.15.so
7f95971cd000-7f95973cc000 ---p 0000c000 08:16 659849 /lib/libnss_files-2.15.so
7f95973cc000-7f95973cd000 r--p 0000b000 08:16 659849 /lib/libnss_files-2.15.so
7f95973cd000-7f95973ce000 rw-p 0000c000 08:16 659849 /lib/libnss_files-2.15.so
7f95973ce000-7f9597426000 r-xp 00000000 08:16 655363 /lib/libncursesw.so.5.9
7f9597426000-7f9597625000 ---p 00058000 08:16 655363 /lib/libncursesw.so.5.9
7f9597625000-7f9597629000 r--p 00057000 08:16 655363 /lib/libncursesw.so.5.9
7f9597629000-7f959762a000 rw-p 0005b000 08:16 655363 /lib/libncursesw.so.5.9
7f959762a000-7f959762b000 rw-p 00000000 00:00 0
7f959762b000-7f95977c4000 r-xp 00000000 08:16 659844 /lib/libc-2.15.so
7f95977c4000-7f95979c4000 ---p 00199000 08:16 659844 /lib/libc-2.15.so
7f95979c4000-7f95979c8000 r--p 00199000 08:16 659844 /lib/libc-2.15.so
7f95979c8000-7f95979ca000 rw-p 0019d000 08:16 659844 /lib/libc-2.15.so
7f95979ca000-7f95979ce000 rw-p 00000000 00:00 0
7f95979ce000-7f9597a0a000 r-xp 00000000 08:16 656206 /lib/libreadline.so.6.2
7f9597a0a000-7f9597c0a000 ---p 0003c000 08:16 656206 /lib/libreadline.so.6.2
7f9597c0a000-7f9597c0c000 r--p 0003c000 08:16 656206 /lib/libreadline.so.6.2
7f9597c0c000-7f9597c12000 rw-p 0003e000 08:16 656206 /lib/libreadline.so.6.2
7f9597c12000-7f9597c14000 rw-p 00000000 00:00 0
7f9597c14000-7f9597c35000 r-xp 00000000 08:16 659855 /lib/ld-2.15.so
7f9597c42000-7f9597e08000 r--p 00000000 08:16 1074837 /usr/lib/locale/locale-archive
7f9597e08000-7f9597e0b000 rw-p 00000000 00:00 0
7f9597e30000-7f9597e34000 rw-p 00000000 00:00 0
7f9597e34000-7f9597e35000 r--p 00020000 08:16 659855 /lib/ld-2.15.so
7f9597e35000-7f9597e36000 rw-p 00021000 08:16 659855 /lib/ld-2.15.so
7f9597e36000-7f9597e37000 rw-p 00000000 00:00 0
7fff4bfa9000-7fff4bfcb000 rw-p 00000000 00:00 0 [stack]
7fff4bfff000-7fff4c000000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]

This task depends upon

Closed by Tobias Powalowski (tpowa)
Friday, 02 March 2012, 09:20 GMT
Reason for closing: Fixed
Additional comments about closing: 5.2-2

Comment by Sverd Johnsen (sjohnsen) - Wednesday, 25 January 2012, 19:53 GMT

http://pkgs.fedoraproject.org/gitweb/?p=tftp.git;a=blob_plain;f=tftp-hpa-0.49-fortify-strcpy-crash.patch;hb=HEAD

Comment by Julien Nicoulaud (nicoulaj) - Wednesday, 25 January 2012, 19:57 GMT

Side note: the tftp client 5.2 works fine on Ubuntu and CentOS, locally or on my Arch server.

Comment by elf Pavlik (elf-pavlik) - Friday, 10 February 2012, 16:28 GMT

i have the same problem so i just installed atftp from AUR
https://aur.archlinux.org/packages.php?ID=333

which works fine =)

Comment by Jonathan Frazier (wide-eye) - Monday, 13 February 2012, 21:26 GMT

attached is a gdb backtrace from a package with debug symbols.

the fedora patch works for me.

log (6.1 KiB)

Comment by Jeff Cook (cookiecaper) - Monday, 13 February 2012, 22:18 GMT

The patch posted here by sjohnsen seems to fix this.

Also, elf-pavlik's suggestion of atftp is good. atftp works well and has better features than tftp-hpa. It is probably a better choice than tftp-hpa for those wanting to use the tftp-hpa client.

	Tasks related to this task (0)

Duplicate tasks of this task (1)
~~FS#28407 - [tftp-hpa] tftp cannot retrieve files - buffer overflow~~

Arch Linux

FS#28103 - [tftp-hpa] tftp client buffer overflow crash

Details

Loading...