debian-hams

 « Return to Thread: Bug#568290: ax25-tools: beacon crashes if the length of the destination exceeds 20

Bug#568290: ax25-tools: beacon crashes if the length of the destination exceeds 20

by Kamal Mostafa :: Rate this Message:

| View in Thread

Package: ax25-tools
Version: 0.0.8-13.1
Severity: normal
Tags: patch
User: ubuntu-devel@...
Usertags: origin-ubuntu karmic ubuntu-patch



In Ubuntu, we've applied the attached patch to achieve the following:

  * Fix beacon -d <longstring> crash (LP: #353219):
    - Cherry-pick fix from upstream ax25_tools_0_0_10_rc1 (www.linux-ax25.org):
      ax25/beacon.c (CVS rev 1.2): important security fix:
        char addr[20] was static and strcpy(addr,.argv[n]) of variable length.

We thought you might be interested in doing the same.

--- ax25-tools-0.0.8.orig/ax25/beacon.c
+++ ax25-tools-0.0.8/ax25/beacon.c
@@ -43,7 +43,7 @@
  struct full_sockaddr_ax25 dest;
  struct full_sockaddr_ax25 src;
  int s, n, dlen, len, interval = 30;
- char addr[20], *port, *message, *portcall;
+ char *addr, *port, *message, *portcall;
  char *srccall = NULL, *destcall = NULL;
 
  while ((n = getopt(argc, argv, "c:d:lmst:v")) != -1) {
@@ -100,27 +100,36 @@
  return 1;
  }
 
+ addr = NULL;
  if (mail)
- strcpy(addr, "MAIL");
+ addr = strdup("MAIL");
  else if (destcall != NULL)
- strcpy(addr, destcall);
+ addr = strdup(destcall);
  else
- strcpy(addr, "IDENT");
+ addr = strdup("IDENT");
+ if (addr == NULL)
+  return 1;
 
  if ((dlen = ax25_aton(addr, &dest)) == -1) {
  fprintf(stderr, "beacon: unable to convert callsign '%s'\n", addr);
  return 1;
  }
+ if (addr != NULL) free(addr); addr = NULL;
 
- if (srccall != NULL && strcmp(srccall, portcall) != 0)
+ if (srccall != NULL && strcmp(srccall, portcall) != 0) {
+ if ((addr = (char *) malloc(strlen(srccall) + 1 + strlen(portcall) + 1)) == NULL)
+ return 1;
  sprintf(addr, "%s %s", srccall, portcall);
- else
- strcpy(addr, portcall);
+ } else {
+ if ((addr = strdup(portcall)) == NULL)
+ return 1;
+ }
 
  if ((len = ax25_aton(addr, &src)) == -1) {
  fprintf(stderr, "beacon: unable to convert callsign '%s'\n", addr);
  return 1;
  }
+ if (addr != NULL) free(addr); addr = NULL;
 
  if (!single) {
  if (!daemon_start(FALSE)) {

 « Return to Thread: Bug#568290: ax25-tools: beacon crashes if the length of the destination exceeds 20

Free embeddable forum powered by Nabble Forum Help