[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#813089: marked as done (qeth/ctc: correct stack corruption for numerous qeth/ctc devices)

Your message dated Sun, 07 Feb 2016 00:51:44 +0000
with message-id <E1aSDZo-0001Pm-3r@franck.debian.org>
and subject line Bug#813089: fixed in s390-netdevice 0.0.40
has caused the Debian Bug report #813089,
regarding qeth/ctc: correct stack corruption for numerous qeth/ctc devices
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
813089: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813089
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: s390-netdevice
Version: 0.0.39
Severity: important
Tags: d-i patch

Hi,

the s390-netdevice fails to display the list of qeth netword device if there
are numerous network devices available.  For example, with 68 or more qeth
network devices (each consisting of 3 devices).

The problem is a static buffer defined on the stack of the get_ctc_channels()
and get_qeth_device() functions.  When iterating through the tree/list of
network devices, the buffer is filled to be later displayed to the user.
The strncat() function writes beyond the end the of the buffer and corrupts
the function stack.

To solve this problem, the buffer that contains the network device list is
dynamically allocated.  The buffer size is determined from the number of
network devices.

Thanks and kind regards,
  Hendrik

>From 223ebc92969fcb5996aef83e4bfdfe93f2861c51 Mon Sep 17 00:00:00 2001
From: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Date: Thu, 21 Jan 2016 19:53:36 +0100
Subject: [PATCH 2/3] netdevice: correct stack corruption due to numerous
 devices

If there are numerous network devices present, the size of the
static buffer (on the stack) is exceeded and the program fails.

Dynamically allocate memory to create a complete list of channel
devices to be displayed to the user.

Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
---
 netdevice.c | 89 ++++++++++++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 68 insertions(+), 21 deletions(-)

diff --git a/netdevice.c b/netdevice.c
index b8512fb..c886170 100644
--- a/netdevice.c
+++ b/netdevice.c
@@ -85,6 +85,12 @@ static const struct driver drivers[] =
 	{ "qeth", CHANNEL_TYPE_QETH },
 };
 
+struct buffer_desc
+{
+	char  *buf;
+	size_t size;
+};
+
 enum
 {
 	TYPE_NONE = 0,
@@ -314,54 +320,76 @@ static di_hfunc get_ctc_channels_append;
 static void get_ctc_channels_append (void *key __attribute__ ((unused)), void *value, void *user_data)
 {
 	struct channel *channel = value;
-	char *buf = user_data;
+	struct buffer_desc *bd = user_data;
+
 	if (channel->type == CHANNEL_TYPE_CU3088_CTC)
-	{
-		if (buf[0])
-			strncat (buf, ", ", 64 * 8);
-		strncat (buf, channel->name, 64 * 8);
-	}
+		di_snprintfcat (bd->buf, bd->size, "%s%s",
+				bd->buf[0] ? ", " : "",
+				channel->name);
 }
 
 static enum state_wanted get_ctc_channels (void)
 {
-	char buf[64 * 8] = { 0 }, *ptr;
 	const char *template;
+	struct buffer_desc bd;
 	int dev, ret;
+	char *ptr;
 
-	di_tree_foreach (channels, get_ctc_channels_append, buf);
+	/* Allocate memory to create the complete list of channels,
+	 * account 2 characters as list separator, 9 characters to
+	 * contain the channel bus-ID (xx.y.zzzz), and a NUL to end
+	 * the string.
+	 */
+	bd.size = di_tree_size (channels) * (2 + 9 + 1);
+	bd.buf = di_malloc0 (bd.size);
 
-	if (!strlen (buf))
+	di_tree_foreach (channels, get_ctc_channels_append, &bd);
+
+	if (!strlen (bd.buf))
 	{
 		my_debconf_input ("critical", TEMPLATE_PREFIX "ctc/no", &ptr);
+		di_free (bd.buf);
 		return WANT_BACKUP;
 	}
 
 	template = TEMPLATE_PREFIX "ctc/choose_read";
-	debconf_subst (client, template, "choices", buf);
+	debconf_subst (client, template, "choices", bd.buf);
 	debconf_input (client, "critical", template);
 	ret = debconf_go (client);
 	if (ret == 30)
+	{
+		di_free (bd.buf);
 		return WANT_BACKUP;
+	}
 	if (ret)
+	{
+		di_free (bd.buf);
 		return WANT_ERROR;
+	}
 	debconf_get (client, template);
 
 	dev = channel_device (client->value);
 	device_current->ctc.channels[0] = di_tree_lookup (channels, &dev);
 
 	template = TEMPLATE_PREFIX "ctc/choose_write";
-	debconf_subst (client, template, "choices", buf);
+	debconf_subst (client, template, "choices", bd.buf);
 	debconf_input (client, "critical", template);
 	ret = debconf_go (client);
 	if (ret == 30)
+	{
+		di_free (bd.buf);
 		return WANT_BACKUP;
+	}
 	if (ret)
+	{
+		di_free (bd.buf);
 		return WANT_ERROR;
+	}
 	debconf_get (client, template);
 
 	dev = channel_device (client->value);
 	device_current->ctc.channels[1] = di_tree_lookup (channels, &dev);
+	di_free (bd.buf);
 
 	return WANT_NEXT;
 }
@@ -408,41 +436,60 @@ static di_hfunc get_qeth_device_append;
 static void get_qeth_device_append (void *key __attribute__ ((unused)), void *value, void *user_data)
 {
 	struct device *device = value;
-	char *buf = user_data;
+	struct buffer_desc *bd = user_data;
+
 	if (device->type == DEVICE_TYPE_QETH)
-	{
-		if (buf[0])
-			strncat (buf, ", ", 64 * 28);
-		di_snprintfcat (buf, 64 * 28, "%s-%s-%s", device->qeth.channels[0]->name, device->qeth.channels[1]->name, device->qeth.channels[2]->name);
-	}
+		di_snprintfcat (bd->buf, bd->size, "%s%s-%s-%s",
+				bd->buf[0] ? ", " : "",
+				device->qeth.channels[0]->name,
+				device->qeth.channels[1]->name,
+				device->qeth.channels[2]->name);
 }
 
 static enum state_wanted get_qeth_device (void)
 {
-	char buf[64 * 28] = { 0 }, *ptr;
 	const char *template;
+	struct buffer_desc bd;
 	int dev, ret;
+	char *ptr;
+
+	/* Allocate memory to create the complete list of channels,
+	 * account 2 characters as list separator, 10 characters
+	 * for each qeth channel bus-ID (xx.y.zzzz), delimited with
+	 * "-", and a NUL to end the string.
+	 */
+	bd.size = 2 + 3 * 10 + 1;
+	bd.size *= di_tree_size (devices);
+	bd.buf = di_malloc0 (bd.size);
 
-	di_tree_foreach (devices, get_qeth_device_append, buf);
+	di_tree_foreach (devices, get_qeth_device_append, &bd);
 
-	if (!strlen (buf))
+	if (!strlen (bd.buf))
 	{
 		my_debconf_input ("critical", TEMPLATE_PREFIX "qeth/no", &ptr);
+		di_free (bd.buf);
 		return WANT_BACKUP;
 	}
 
 	template = TEMPLATE_PREFIX "qeth/choose";
-	debconf_subst (client, template, "choices", buf);
+	debconf_subst (client, template, "choices", bd.buf);
 	debconf_input (client, "critical", template);
 	ret = debconf_go (client);
 	if (ret == 30)
+	{
+		di_free (bd.buf);
 		return WANT_BACKUP;
+	}
 	if (ret)
+	{
+		di_free (bd.buf);
 		return WANT_ERROR;
+	}
 	debconf_get (client, template);
 
 	dev = channel_device (client->value);
 	device_current = di_tree_lookup (devices, &dev);
+	di_free (bd.buf);
 
 	return WANT_NEXT;
 }
-- 
2.7.0.rc3

--- End Message ---
--- Begin Message --- 
Source: s390-netdevice
Source-Version: 0.0.40

We believe that the bug you reported is fixed in the latest version of
s390-netdevice, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 813089@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Philipp Kern <pkern@debian.org> (supplier of updated s390-netdevice package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 07 Feb 2016 01:41:26 +0100
Source: s390-netdevice
Binary: s390-netdevice
Architecture: source s390x
Version: 0.0.40
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Philipp Kern <pkern@debian.org>
Description:
 s390-netdevice - Configure network hardware (udeb)
Closes: 813089 813121
Changes:
 s390-netdevice (0.0.40) unstable; urgency=medium
 .
   [ Colin Watson ]
   * Use HTTPS for Vcs-* URLs, and link to cgit rather than gitweb.
 .
   [ Hendrik Brueckner ]
   * qeth: substitute layer and port number in qeth/confirm template
     (Closes: #813121)
   * netdevice: correct stack corruption due to numerous devices
     (Closes: #813089)
Checksums-Sha1:
 73449b0cd2f00ce2981934327d08ba618d63ff54 1441 s390-netdevice_0.0.40.dsc
 ea20c79d503cdbcd50be75f154a85263de983830 95428 s390-netdevice_0.0.40.tar.xz
 569fd78928a2812c6ff4589d60305a0b80f6703a 83268 s390-netdevice_0.0.40_s390x.udeb
Checksums-Sha256:
 5fbf8e732531b76226cfd0321cf617d5e7ae09a9f5d2ae0939c7a0069ff89692 1441 s390-netdevice_0.0.40.dsc
 9f3c631d92ea6a4384f61e9d3429a6c5ac2c83bc919d5690f60642dc0f3a2648 95428 s390-netdevice_0.0.40.tar.xz
 738f22240cf0f96b9cae69d2d69dbfb619f5e7fdbc14391873512459289668b5 83268 s390-netdevice_0.0.40_s390x.udeb
Files:
 212e620944613b0b6e98bcef7d714305 1441 debian-installer standard s390-netdevice_0.0.40.dsc
 7a1a392b3216ce56e7d67199ccb2089b 95428 debian-installer standard s390-netdevice_0.0.40.tar.xz
 489bf4e99c08e2fa39110ee49f7b9727 83268 debian-installer standard s390-netdevice_0.0.40_s390x.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJWtpPxAAoJEERuJUU10Fbsg5cH/2i7rE8GzdiC3qI39+N40U5/
BiOUo0DTmGYbN8xVnPsFB3HccQlWRWEqo8x6xo0XmkpBXfel5OqoZagv761JlYhx
5jh0aRpwHolbvWf5cyLmbFWWBaUjSxssek/ZbgSw4yj1PKaQh5eIZF1LUmvjiUBg
xqgB/3iZi7dgaBanqlA0hrjEBkgb/+ABQRDEdkUZv5u27Ga4QB0puO3/OPrmvhzw
Kxn1phvwNBPkRDGDYUroymbWoCRfIWxnXXenkp+ETXtkvdc28TUc1LeHHE6bsPTv
cNCN+/9sk8sK5ZsRyqucjnl4KORyUhU9KGGtSJUvNqiGDFKRB2E9TuFq3h7rTqE=
=O5iE
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: