Bug#418975: marked as done (libnet1: Buffer overrun in libnet_pblock_coalesce)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Tue, 16 Jun 2009 23:47:08 +0000
with message-id <E1MGiMu-0006o4-VO@ries.debian.org>
and subject line Bug#418975: fixed in libnet 1.1.4-1
has caused the Debian Bug report #418975,
regarding libnet1: Buffer overrun in libnet_pblock_coalesce
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
418975: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=418975
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: libnet1: Buffer overrun in libnet_pblock_coalesce
• From: Horms <horms@debian.org>
• Date: Fri, 13 Apr 2007 15:07:09 +0900
• Message-id: <20070413060708.10134.4445.reportbug@harold.local.valinux.co.jp>

Package: libnet1
Version: 1.1.2.1-2
Severity: important
Tags: patch


Hi,

while investigating #418749 and #417835 I discovered that
libnet_do_checksum() seems to be accessing unalocated memory.

The problem seems to stem libnet_pblock_coalesce(), which passes
buf + offset, where offset is calculated to be 
(l->total_size + l->aligner) - q->ip_offset. However, in the usage
case that I see q->ip_offset is always zero, and as buf
is mallocked to be l->total_size + l->aligner bytes long earlier in 
libnet_pblock_coalesce(), unallocated memory is passed to the
libnet_do_checksum() call.

Poking around a bit, it seems that the memory is also uninitialised.
I'm not sure what the correct fix is, but I wonder if offset
should actually be l->aligner + q->ip_offset. This certainly 
solves the problem that was reported in #418749 and #417835.
But as both l->aligner and q->ip_offset are zero I am not sure if 
it is correct in the general case.

--- libnet-1.1.2.1-wip.orig/src/libnet_pblock.c	2007-04-13 14:46:34.000000000 +0900
+++ libnet-1.1.2.1-wip/src/libnet_pblock.c	2007-04-13 14:46:58.000000000 +0900
@@ -389,7 +389,7 @@
             {
                 if ((q->flags) & LIBNET_PBLOCK_DO_CHECKSUM)
                 {
-                    int offset = (l->total_size + l->aligner) - q->ip_offset;
+                    int offset = l->aligner + q->ip_offset;
                     c = libnet_do_checksum(l, *packet + offset,
                             libnet_pblock_p2p(q->type), q->h_len);
                     if (c == -1)


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (190, 'unstable'), (180, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-4-686 (SMP w/2 CPU cores)
Locale: LANG=ja_JP.utf8, LC_CTYPE=ja_JP.utf8 (charmap=UTF-8) (ignored: LC_ALL set to ja_JP.utf8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libnet1 depends on:
ii  libc6                       2.3.6.ds1-13 GNU C Library: Shared libraries

libnet1 recommends no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

• To: 418975-close@bugs.debian.org
• Subject: Bug#418975: fixed in libnet 1.1.4-1
• From: Stefanos Harhalakis <v13@v13.gr>
• Date: Tue, 16 Jun 2009 23:47:08 +0000
• Message-id: <E1MGiMu-0006o4-VO@ries.debian.org>

Source: libnet
Source-Version: 1.1.4-1

We believe that the bug you reported is fixed in the latest version of
libnet, which is due to be installed in the Debian FTP archive:

libnet1-dbg_1.1.4-1_i386.deb
  to pool/main/libn/libnet/libnet1-dbg_1.1.4-1_i386.deb
libnet1-dev_1.1.4-1_i386.deb
  to pool/main/libn/libnet/libnet1-dev_1.1.4-1_i386.deb
libnet1-doc_1.1.4-1_all.deb
  to pool/main/libn/libnet/libnet1-doc_1.1.4-1_all.deb
libnet1_1.1.4-1_i386.deb
  to pool/main/libn/libnet/libnet1_1.1.4-1_i386.deb
libnet_1.1.4-1.diff.gz
  to pool/main/libn/libnet/libnet_1.1.4-1.diff.gz
libnet_1.1.4-1.dsc
  to pool/main/libn/libnet/libnet_1.1.4-1.dsc
libnet_1.1.4.orig.tar.gz
  to pool/main/libn/libnet/libnet_1.1.4.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 418975@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefanos Harhalakis <v13@v13.gr> (supplier of updated libnet package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Wed, 10 Jun 2009 17:18:17 +0300
Source: libnet
Binary: libnet1 libnet1-dbg libnet1-dev libnet1-doc
Architecture: source all i386
Version: 1.1.4-1
Distribution: unstable
Urgency: low
Maintainer: Stefanos Harhalakis <v13@v13.gr>
Changed-By: Stefanos Harhalakis <v13@v13.gr>
Description: 
 libnet1    - library for the construction and handling of network packets
 libnet1-dbg - debugging symbols for libnet
 libnet1-dev - development files for libnet
 libnet1-doc - developers documentation files for libnet
Closes: 418975 516222
Changes: 
 libnet (1.1.4-1) unstable; urgency=low
 .
   * New upstream release.
   * Removed quilt depedencies (no more debian patches).
   * Install upstream CHANGELOG in docs.
 .
 libnet (1.1.3-2) unstable; urgency=low
 .
   * debian/copyright fixes.
   * Fixed upstream author.
 .
 libnet (1.1.3-1) unstable; urgency=low
 .
   * New upstream release / upstream takeover (Closes: #418975)
   * New maintainer (Closes: #516222)
   * debian/rules changed to CDBS
Checksums-Sha1: 
 1305c2538251a9fb1d35cd945663cedc5fbbbb6e 1070 libnet_1.1.4-1.dsc
 86a2f75b52c5b15dbd41c3e03356167de9c883e4 1204502 libnet_1.1.4.orig.tar.gz
 9db6a7639cc368d0286329cb634dc6fb31728f9e 8745 libnet_1.1.4-1.diff.gz
 99a3b6dfd4c99fa583a7f42e3737270c28f6c58f 249600 libnet1-doc_1.1.4-1_all.deb
 70d6a5d7279b855df0beea73f38a66f825dd2e90 57756 libnet1_1.1.4-1_i386.deb
 43dc05d66e633cda2d1f243f6ddb941d18dee8f4 81046 libnet1-dbg_1.1.4-1_i386.deb
 3871a91b3aff14490de0aa77c6b1bc7537efd64d 112624 libnet1-dev_1.1.4-1_i386.deb
Checksums-Sha256: 
 7d44183d9433eaaa387b258fad0230eca0fb7ca57d99bab853017f837211df82 1070 libnet_1.1.4-1.dsc
 de98229d9eca00b66c26cb368e582901cf768456321703bc38235e3b347b512d 1204502 libnet_1.1.4.orig.tar.gz
 86f777d416799dc26a82eabfc2dc03e16b88af9c264abd5bb5856774b1e9acd5 8745 libnet_1.1.4-1.diff.gz
 0444c1625c330ab3d7f240781af46fd17e53115729d19c733d553f8c0e244412 249600 libnet1-doc_1.1.4-1_all.deb
 4e3d8f6b38a28dcf48a714813e214a04c3c90b25a54b967e2fa9d1fd92391051 57756 libnet1_1.1.4-1_i386.deb
 3fef318e83b57197f5cf52c6953e453a48a13e8a128cc312a6afa24f4529a61f 81046 libnet1-dbg_1.1.4-1_i386.deb
 da8e95d4521f576a529366d81804eb9e87778dcc10e8d936a4ea6fcf2186ce9d 112624 libnet1-dev_1.1.4-1_i386.deb
Files: 
 9ae46326e868d6d0486737d99f1cdca5 1070 net optional libnet_1.1.4-1.dsc
 c5e06418a89cc4209f677a776a798fd9 1204502 net optional libnet_1.1.4.orig.tar.gz
 412717bb15b7403124ce24dc93409d77 8745 net optional libnet_1.1.4-1.diff.gz
 c9c3de4c78551145a46492a8ca9021c3 249600 doc optional libnet1-doc_1.1.4-1_all.deb
 e6e0c114c4c2cf4522805e176c3769ef 57756 libs optional libnet1_1.1.4-1_i386.deb
 c3d09880eae6e321cf4b5e68e0f0f792 81046 debug extra libnet1-dbg_1.1.4-1_i386.deb
 f0c5a4f427c44aefc64bbc06d64c9133 112624 libdevel optional libnet1-dev_1.1.4-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEAREDAAYFAko4LOQACgkQAQwuptkwlkR6OwCfUi/Mrm5Joejgl7ViIEToWl+r
tyMAnRDwZ+0qu5Y2OZE7s16QT5vIJUS4
=qUGU
-----END PGP SIGNATURE-----

--- End Message ---