Bug#780505: icom: buffer overflow when running 'radio' command

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#780505: icom: buffer overflow when running 'radio' command
From: Ryan Barber <rfb@skyscraper.nu>
Date: Sat, 14 Mar 2015 22:19:39 -0700
Message-id: <[🔎] 20150315051939.27338.84223.reportbug@prism>
Reply-to: Ryan Barber <rfb@skyscraper.nu>, 780505@bugs.debian.org

Package: icom
Version: 20120228-1
Severity: important
Tags: patch

Dear Maintainer,

I get a buffer overflow when I run the 'radio' command in icom.

Here is the backtrace:

#0  0x00007ffff7767107 in __GI_raise (sig=sig@entry=6) at
.../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff77684e8 in __GI_abort () at abort.c:89
#2  0x00007ffff77a5204 in __libc_message (do_abort=do_abort@entry=2,
fmt=fmt@entry=0x7ffff7895a2b "*** %s ***: %s terminated\n") at
.../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff78284c7 in __GI___fortify_fail (msg=msg@entry=0x7ffff78959c2
"buffer overflow detected") at fortify_fail.c:31
#4  0x00007ffff78266e0 in __GI___chk_fail () at chk_fail.c:28
#5  0x00007ffff7825be9 in _IO_str_chk_overflow (fp=<optimized out>,
c=<optimized out>) at vsprintf_chk.c:33
#6  0x00007ffff777fcd7 in ___printf_fp (fp=fp@entry=0x7fffffffda80,
info=info@entry=0x7fffffffd600, args=args@entry=0x7fffffffd5e0) at
printf_fp.c:1228
#7  0x00007ffff777c9bd in _IO_vfprintf_internal (s=s@entry=0x7fffffffda80,
format=<optimized out>, format@entry=0x407cad " %10.0lf",
ap=ap@entry=0x7fffffffdbb8) at vfprintf.c:1641
#8  0x00007ffff7825c78 in ___vsprintf_chk (s=0x7fffffffdc90 "      4111`",
flags=1, slen=11, format=0x407cad " %10.0lf", args=args@entry=0x7fffffffdbb8)
at vsprintf_chk.c:85
#9  0x00007ffff7825bcd in ___sprintf_chk (s=s@entry=0x7fffffffdc90 "
4111`", flags=flags@entry=1, slen=slen@entry=11, format=format@entry=0x407cad "
%10.0lf") at sprintf_chk.c:31
#10 0x0000000000405da2 in sprintf (__fmt=0x407cad " %10.0lf",
__s=0x7fffffffdc90 "      4111`") at /usr/include/x86_64-linux-
gnu/bits/stdio2.h:33
#11 doublefreq (freq=<optimized out>, x=x@entry=0x7fffffffdcd1 "", len=5) at
radio.c:1026
#12 0x0000000000405e9e in loadfreq (rp=rp@entry=0x61d010, freq=<optimized out>)
at radio.c:509
#13 0x0000000000406e5e in select_radio (ident=102, baud=baud@entry=0) at
radio.c:189
#14 0x0000000000402c78 in qqsv (rp=0x0, cmdop=cmdop@entry=0x61ab00 <cmd>) at
icom.c:467
#15 0x0000000000405153 in command (rp=<optimized out>, cmdop=0x61ab00 <cmd>) at
icom.c:379
#16 0x0000000000405700 in main (argc=<optimized out>, argcv=<optimized out>) at
icom.c:343



-- System Information:
Debian Release: 8.0
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages icom depends on:
ii  libc6  2.19-15

icom recommends no packages.

icom suggests no packages.

-- no debconf information

Index: icom-20120228/radio.c
===================================================================
--- icom-20120228.orig/radio.c
+++ icom-20120228/radio.c
@@ -1023,7 +1023,7 @@ doublefreq(
 	char	s1[11];
 	char	*y;
 
-	sprintf(s1, " %10.0lf", freq);
+	snprintf(s1, sizeof(s1), " %10.0lf", freq);
 	y = s1 + 10;
 	i = 0;
 	while (*y != ' ') {

Reply to:

Prev by Date: Re: WSJT-X out of date
Next by Date: Re: WSJT-X out of date
Previous by thread: Re: WSJT-X out of date
Next by thread: Bug#780901: fldigi: Hamlib Net (aka rigctld) rig, does not accept hostnames
Index(es):
- Date
- Thread