r35591 - in /trunk/libnet-arp-perl/debian: changelog patches/buffer_overflows.patch patches/prototypes.patch patches/return-value.patch patches/series

thialme-guest at users.alioth.debian.org thialme-guest at users.alioth.debian.org
Sun May 17 17:47:00 UTC 2009 

Author: thialme-guest
Date: Sun May 17 17:46:55 2009
New Revision: 35591

URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=35591
Log:
Added patch to fix buffer overflows

Added:
    trunk/libnet-arp-perl/debian/patches/buffer_overflows.patch
Modified:
    trunk/libnet-arp-perl/debian/changelog
    trunk/libnet-arp-perl/debian/patches/prototypes.patch
    trunk/libnet-arp-perl/debian/patches/return-value.patch
    trunk/libnet-arp-perl/debian/patches/series

Modified: trunk/libnet-arp-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libnet-arp-perl/debian/changelog?rev=35591&op=diff
==============================================================================
--- trunk/libnet-arp-perl/debian/changelog (original)
+++ trunk/libnet-arp-perl/debian/changelog Sun May 17 17:46:55 2009
@@ -6,6 +6,8 @@
         - documentation.diff
         - 10alignment-and-headers.patch
   * Added header (author, bug number, description) to all patches.
+  * Added buffer_overflows.patch to fix buffer overflows due to the use of
+    strcpy (Closes: #528675).
 
  -- Franck Joncourt <franck.mail at dthconnex.com>  Sun, 26 Apr 2009 22:07:55 +0200
 

Added: trunk/libnet-arp-perl/debian/patches/buffer_overflows.patch
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libnet-arp-perl/debian/patches/buffer_overflows.patch?rev=35591&op=file
==============================================================================
--- trunk/libnet-arp-perl/debian/patches/buffer_overflows.patch (added)
+++ trunk/libnet-arp-perl/debian/patches/buffer_overflows.patch Sun May 17 17:46:55 2009
@@ -1,0 +1,109 @@
+Author: Franck Joncourt <franck.mail at dthconnex.com>
+Bugs: 528675
+Description: fix buffer overflows due to an unsafe use of strcpy.
+ + Define a constant, HEX_HW_ADDR_LEN, in arp.h to set the length of the
+   hex representation of the hardware address. Its use with strncpy will
+   prevent eventual overflows through the mac variable.
+ + Make sure the device name provided by the user does not overwrite data
+   in the ifreq structure when copied. The device name in an ifreq
+   strcuture is IFNAMSIZ bytes long.
+
+--- libnet-arp-perl.orig/arp.h
++++ libnet-arp-perl/arp.h
+@@ -42,6 +42,10 @@
+ #endif
+ #define IP_ALEN          4
+ 
++/* Length of the hardware address in the standard hex-digits-and-colons
++ * notation (null terminated string) */
++#define HEX_HW_ADDR_LEN  18
++
+ // ARP Header Struktur
+ struct my_arphdr {
+    u_short hw_type;             // hardware type
+--- libnet-arp-perl.orig/get_mac_linux.c
++++ libnet-arp-perl/get_mac_linux.c
+@@ -22,11 +22,13 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <sys/ioctl.h>
++#include <sys/types.h>
+ #include <net/ethernet.h>    
+ #include <string.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <net/if.h>
++#include "arp.h"
+ 
+ int get_mac_linux(u_char *dev, char *mac)
+ {
+@@ -35,16 +37,18 @@
+   struct sockaddr_in *addr;
+   struct ether_addr ether;
+   
+-  if(strlen(mac) > 0)
+-    strcpy(mac,"unknown");
+-  else
++  if (!strlen(mac) || !strlen(dev))
+     return -1;
+ 
+-  if(strlen(dev) == 0)
+-    return -1;
+-  
+-  strcpy(iface.ifr_name,dev);
++  /* Set hardware address as unknown */
++  strncpy(mac,"unknown", HEX_HW_ADDR_LEN);
++  mac[HEX_HW_ADDR_LEN-1] = '\0';
+   
++  /* Copy device name into the ifreq strcture so that we can look for its
++   * hardware address through an ioctl request */
++  strncpy(iface.ifr_name, dev, IFNAMSIZ);
++  iface.ifr_name[IFNAMSIZ-1] = '\0';
++
+   // Open a socket
+   if((sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
+     {
+--- libnet-arp-perl.orig/arp_lookup_linux.c
++++ libnet-arp-perl/arp_lookup_linux.c
+@@ -20,6 +20,8 @@
+ 
+ #include <stdio.h>
+ #include <string.h>
++#include <sys/types.h>
++#include "arp.h"
+ 
+ #define _PATH_PROCNET_ARP "/proc/net/arp"
+ 
+@@ -33,14 +35,12 @@
+   char device[100];
+   int num, type, flags;
+   
+-  if(strlen(mac) > 0)
+-    strcpy(mac,"unknown");
+-  else
++  if (!strlen(mac) || !strlen(ip))
+     return -1;
+ 
+-  if(strlen(ip) == 0)
+-    return -1;
+-  
++  strncpy(mac,"unknown", HEX_HW_ADDR_LEN);
++  mac[HEX_HW_ADDR_LEN-1] = '\0';
++
+   if ((fp = fopen(_PATH_PROCNET_ARP, "r")) == NULL) {
+     perror(_PATH_PROCNET_ARP);
+     return (-1);
+@@ -59,10 +59,10 @@
+ 
+           if ((strlen(dev) == 0 || strcmp(dev, device) == 0) && strcmp(ip, ipaddr) == 0)
+ 	    {
+-	      strcpy(mac, hwa);
+-	      break;
++              strncpy(mac, hwa, HEX_HW_ADDR_LEN);
++              mac[HEX_HW_ADDR_LEN-1] = '\0';
++              break;
+ 	    }
+-	  strcpy(mac, "unknown");
+ 	}
+     }
+ 

Modified: trunk/libnet-arp-perl/debian/patches/prototypes.patch
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libnet-arp-perl/debian/patches/prototypes.patch?rev=35591&op=diff
==============================================================================
--- trunk/libnet-arp-perl/debian/patches/prototypes.patch (original)
+++ trunk/libnet-arp-perl/debian/patches/prototypes.patch Sun May 17 17:46:55 2009
@@ -3,9 +3,9 @@
  The arp header must define the global prototypes of the *_linux and *_bsd
  functions used in order to let the ARP.xs file know about them.
 
---- a/arp.h
-+++ b/arp.h
-@@ -56,3 +56,9 @@ struct my_arphdr {
+--- libnet-arp-perl.orig/arp.h
++++ libnet-arp-perl/arp.h
+@@ -60,3 +60,9 @@
  };
  
  extern struct ether_addr *ether_aton (__const char *__asc) __THROW;

Modified: trunk/libnet-arp-perl/debian/patches/return-value.patch
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libnet-arp-perl/debian/patches/return-value.patch?rev=35591&op=diff
==============================================================================
--- trunk/libnet-arp-perl/debian/patches/return-value.patch (original)
+++ trunk/libnet-arp-perl/debian/patches/return-value.patch Sun May 17 17:46:55 2009
@@ -4,9 +4,9 @@
  do nothing when it succeeds.
  This makes the function returns 0 rather than no value.
 
---- a/arp_lookup_linux.c
-+++ b/arp_lookup_linux.c
-@@ -67,4 +67,5 @@ int arp_lookup_linux(char *dev, char *ip
+--- libnet-arp-perl.orig/arp_lookup_linux.c
++++ libnet-arp-perl/arp_lookup_linux.c
+@@ -67,4 +67,5 @@
      }
  
      fclose(fp);

Modified: trunk/libnet-arp-perl/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libnet-arp-perl/debian/patches/series?rev=35591&op=diff
==============================================================================
--- trunk/libnet-arp-perl/debian/patches/series (original)
+++ trunk/libnet-arp-perl/debian/patches/series Sun May 17 17:46:55 2009
@@ -1,3 +1,4 @@
+buffer_overflows.patch
 return-value.patch
 prototypes.patch
 20skip_send_packet_test.patch

More information about the Pkg-perl-cvs-commits mailing list