tftp assert failure: *** buffer overflow detected ***: tftp terminated
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
netkit-tftp (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
apt-get install tftp
juser@dhcp232:~$ tftp
tftp> get shaz:pxelinux.
ProblemType: Crash
DistroRelease: Ubuntu 11.04
Package: tftp 0.17-18ubuntu1
ProcVersionSign
Uname: Linux 2.6.37-2-generic x86_64
Architecture: amd64
AssertionMessage: *** buffer overflow detected ***: tftp terminated
Date: Sun Nov 7 16:23:19 2010
ExecutablePath: /usr/bin/tftp
ProcCmdline: tftp shaz
ProcEnviron:
SHELL=/bin/bash
PATH=(custom, user)
LANG=en_US
Signal: 6
SourcePackage: netkit-tftp
StacktraceTop:
raise (sig=<value optimized out>) at ../nptl/
abort () at abort.c:92
__libc_message (do_abort=<value optimized out>, fmt=<value optimized out>) at ../sysdeps/
__fortify_fail (msg=0x7f06767e1210 "buffer overflow detected") at fortify_fail.c:32
__chk_fail () at chk_fail.c:29
Title: tftp assert failure: *** buffer overflow detected ***: tftp terminated
UserGroups: adm admin audio cdrom dialout lpadmin plugdev video
visibility: | private → public |
Changed in netkit-tftp (Ubuntu): | |
status: | New → Fix Released |
LANG=C readelf -sW tftp | grep _chk chk@GLIBC_ 2.11 (3) chk@GLIBC_ 2.3.4 (4) chk@GLIBC_ 2.3.4 (4) chk@GLIBC_ 2.3.4 (4) chk@GLIBC_ 2.3.4 (4) chk_fail@ GLIBC_2. 4 (6)
3: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __longjmp_
5: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __fprintf_
10: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __printf_
15: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __memcpy_
27: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __strcpy_
32: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __stack_
buffer overflow likely came from memcpy or strcpy:
$ grep memcpy *
main.c: memcpy(&s_inn, ai->ai_addr, ai->ai_addrlen);
main.c: memcpy(&s_inn, ai->ai_addr, ai->ai_addrlen);
main.c: memcpy(&s_inn, ai->ai_addr, ai->ai_addrlen);
tftp.c: memcpy(&from, &s_inn, sizeof(from));
tftp.c: memcpy(&from, &s_inn, sizeof(from));
$ grep strcpy *
main.c: strcpy(mode, "netascii");
main.c: strcpy(line, "Connect ");
main.c: strcpy(mode, newmode);
main.c: strcpy(line, "send ");
main.c: strcpy(ccp, tail(argv[n]));
main.c: strcpy(line, "get ");
main.c: strcpy(line, "Rexmt-timeout ");
main.c: strcpy(line, "Maximum-timeout ");
tftp.c: strcpy(cp, name);
tftp.c: strcpy(cp, mode);
tftp.c: strcpy(tp->th_msg, pe->e_msg);