[Pkg-scicomp-devel] Bug#441478: libglpk0: security flaw buffer overflow in glplib05.c xvprintf
Peter T. Breuer
ptb at inv.it.uc3m.es
Mon Sep 10 05:56:50 UTC 2007
Package: libglpk0
Version: 4.20-1
Severity: minor
Looking through the code for a way to shut off the annoying messaged
from lpx_adv_basis in the version of libglpk0 that is current for my
distribution (a new version has been made available to unstable, but
that's not me ...), I noticed the following in xvprintf of
src/glplib05.c:
static void
xvprintf (const char *fmt, va_list arg)
{
char buf[4000 + 1];
vsprintf (buf, fmt, arg);
xassert (strlen (buf) < sizeof (buf)); /* here! */
xputs (buf);
return;
}
The assertion checks the length of the string in the current buffer
AFTER having written it there. Too late, and ineffective anyway.
1) The buffer overflow has already occurred, if it has occurred at all,
so the check is notionally too late. One wants to check before
doing the vsprintf into the buffer, if anywhere.
Yes, it is likely that a buffer overflow seeks to alter the return
address on the stack, so a check in the same routine is not too late
for deetcting that, but one can perfectly easily write a string with
a zero half-way along (by writing a low integer, for example) that is
going to stop the strlen calculation within bounds, and a buffer
overflow attempt WILL write zeros.
2) In any case checking strlen(buf) will overrun the buffer in the
event the test fails, likely resulting in a violation of another
sort as it eventually runs into un-mapped memory areas. Only
luck stops it segfaulting.
3) The correct way to do this is to use vsnprintf. One wants
vsnprintf(buf, sizeof(buf), fmt, arg);
The sizeof(buf) is correct. Not sizeof(buf)-1 as the count by
vsnprintf includes a trailing zero. And in any case one can
check the number of bytes returned:
int n = vsnprintf(buf, sizeof(buf), fmt, arg);
xassert(n <= sizeof(buf));
if one really wanted to do a check AFTER the event :), useless though
that is.
Best
Peter
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.15.3 (PREEMPT)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
Shell: /bin/sh linked to /bin/bash
Versions of packages libglpk0 depends on:
ii libc6 2.6.1-1+b1 GNU C Library: Shared libraries
ii libgmp3c2 2:4.2.1+dfsg-5 Multiprecision arithmetic library
libglpk0 recommends no packages.
-- no debconf information
More information about the Pkg-scicomp-devel
mailing list