[Secure-testing-team] Bug#606808: echoping crashes sometimes when used against HTTPS host

Dmitry Semyonov linulin at gmail.com
Sat Dec 11 21:57:20 UTC 2010 

Package: echoping
Version: 6.0.2-3
Severity: grave
Tags: security patch
Justification: user security hole

I use Smokeping to monitor a number of external hosts. echoping is
called by EchoPingHttps Smokeping probe, and it crashes several times a
week, resulting in syslog error like: 

Dec 11 00:13:27 bor kernel: [49668.766339] echoping[17510]: segfault at 767c858e ip 0804db39 sp bfea8710 error 4 in echoping[8048000+9000]

Hopefully, I found the source of this crash. I'm now running the patched
echoping binary to verify the fix, which is provided below. (Strictly
speaking, only the last change is required, but the former two improve
safety without causing any harm.)

--- echoping-6.0.2.orig/readline.c
+++ echoping-6.0.2/readline.c
@@ -139,7 +139,8 @@
        if (ln) {
                /* Empty buffer */
                if (buf_end == 0) {
-                       rc = gnutls_record_recv(session, TLS_buffer, maxlen);
+                       rc = gnutls_record_recv(session, TLS_buffer,
+                                               maxlen > MAXTOREAD ? MAXTOREAD : maxlen);
                        if (rc == -1)
                                return rc;
                        buf_end = rc;
@@ -148,13 +149,14 @@
                /* No more data in the buffer */
                else if (buf_ptr == buf_end) {
                        buf_ptr = 0;
-                       rc = gnutls_record_recv(session, TLS_buffer, maxlen);
+                       rc = gnutls_record_recv(session, TLS_buffer,
+                                               maxlen > MAXTOREAD ? MAXTOREAD : maxlen);
                        if (rc == -1)
                                return rc;
                        buf_end = rc;
                } else if (TLS_buffer[buf_end] != '\n') {
                        rc = gnutls_record_recv(session, TLS_buffer + buf_end,
-                                               maxlen);
+                                               maxlen > MAXTOREAD - buf_end ? MAXTOREAD - buf_end : maxlen);
                        if (rc == -1)
                                return rc;
                        buf_end = buf_end + rc;


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages echoping depends on:
ii  libc6                         2.11.2-7   Embedded GNU C Library: Shared lib
ii  libgnutls26                   2.8.6-1    the GNU TLS library - runtime libr
ii  libidn11                      1.15-2     GNU Libidn library, implementation
ii  libldap-2.4-2                 2.4.23-7   OpenLDAP libraries
ii  libpopt0                      1.16-1     lib for parsing cmdline parameters

echoping recommends no packages.

echoping suggests no packages.

-- no debconf information

More information about the Secure-testing-team mailing list