Bug#568290: ax25-tools: beacon crashes if the length of the destination exceeds 20
Package: ax25-tools
Version: 0.0.8-13.1
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu karmic ubuntu-patch
In Ubuntu, we've applied the attached patch to achieve the following:
* Fix beacon -d <longstring> crash (LP: #353219):
- Cherry-pick fix from upstream ax25_tools_0_0_10_rc1 (www.linux-ax25.org):
ax25/beacon.c (CVS rev 1.2): important security fix:
char addr[20] was static and strcpy(addr,.argv[n]) of variable length.
We thought you might be interested in doing the same.
--- ax25-tools-0.0.8.orig/ax25/beacon.c
+++ ax25-tools-0.0.8/ax25/beacon.c
@@ -43,7 +43,7 @@
struct full_sockaddr_ax25 dest;
struct full_sockaddr_ax25 src;
int s, n, dlen, len, interval = 30;
- char addr[20], *port, *message, *portcall;
+ char *addr, *port, *message, *portcall;
char *srccall = NULL, *destcall = NULL;
while ((n = getopt(argc, argv, "c:d:lmst:v")) != -1) {
@@ -100,27 +100,36 @@
return 1;
}
+ addr = NULL;
if (mail)
- strcpy(addr, "MAIL");
+ addr = strdup("MAIL");
else if (destcall != NULL)
- strcpy(addr, destcall);
+ addr = strdup(destcall);
else
- strcpy(addr, "IDENT");
+ addr = strdup("IDENT");
+ if (addr == NULL)
+ return 1;
if ((dlen = ax25_aton(addr, &dest)) == -1) {
fprintf(stderr, "beacon: unable to convert callsign '%s'\n", addr);
return 1;
}
+ if (addr != NULL) free(addr); addr = NULL;
- if (srccall != NULL && strcmp(srccall, portcall) != 0)
+ if (srccall != NULL && strcmp(srccall, portcall) != 0) {
+ if ((addr = (char *) malloc(strlen(srccall) + 1 + strlen(portcall) + 1)) == NULL)
+ return 1;
sprintf(addr, "%s %s", srccall, portcall);
- else
- strcpy(addr, portcall);
+ } else {
+ if ((addr = strdup(portcall)) == NULL)
+ return 1;
+ }
if ((len = ax25_aton(addr, &src)) == -1) {
fprintf(stderr, "beacon: unable to convert callsign '%s'\n", addr);
return 1;
}
+ if (addr != NULL) free(addr); addr = NULL;
if (!single) {
if (!daemon_start(FALSE)) {
Reply to: