[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#616355: marked as done (Segmentation fault with simple rules.)

Your message dated Mon, 20 Oct 2014 21:30:11 +0000
with message-id <E1XgKWp-0003NZ-KD@franck.debian.org>
and subject line Bug#616355: fixed in tcpspy 1.7d-9
has caused the Debian Bug report #616355,
regarding Segmentation fault with simple rules.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
616355: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=616355
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: tcpspy
Version: 1.7d-4
Severity: important
Tags: patch

It is very simply to generate a segmentation fault with this software:

   tcpspy -d -e 'raddr 192.168.0.0/255.255.255.0'

and then a telnet call! The cause is a stack underrun, a pop command
on an empty stack causes the address exception.

The underlying problem is that a simple (singleton) rule still causes
a bytecode BC_OR onto the stack, forcing the evaluation engine to
continue where is really should finalize execution. The best remedy
seems to be the push of an initial FALSE onto the emptt stack.
That can never hurt any evaluation. Do not be fooled by the correct
evaluation of

   tcpspy -d -e 'raddr 192.168.0.1 or raddr 10.1.2.3.4'

since then the binary relation BC_OR is indeed correct.

My patch also suggests a slight alteration to matching with non-trivial
netmasks:

    raddr 192.168.0.123/255.255.255.192

is now able to catch traffic, without the need for manual calculating
the reduction of '192.168.0.123' modulo '255.255.255.192'. It is an
unneccesary pain to to this by hand. Computers should do that for us.

Best regards,
  Mats Erik Andersson, DM

Description: Recover from stack underflow fault.
 When applied with a single rule like
   tcpspy -e 'raddr 10.1.2.3'
 an incorrect bytecode BC_OR is still put on the stack.
 This causes the rule traversal to pop an empty stack,
 thus causing a segmentation fault. The good remedy is
 initially to push a FALSE onto the empty stack, serving
 as a guard against a later evaluation. Composite rules
   tcpspy -e 'raddr 10.1.2.3 and laddr 10.1.2.33'
 are never causing this segfault.
 .
 In addition, to simplify for the user, the netmask
 is applied to both addresses, the observed address
 and the stored address. This avoids false negatives
 due to miscalculation by the administrator.
Author: Mats Erik Andersson <debian@gisladisker.se>
Forwarded: no
Last-Update: 2011-03-03

diff -Naur tcpspy-1.7d.debian/rule.c tcpspy-1.7d/rule.c
--- tcpspy-1.7d.debian/rule.c	2002-01-25 02:00:50.000000000 +0100
+++ tcpspy-1.7d/rule.c	2011-03-03 18:35:44.000000000 +0100
@@ -293,6 +293,8 @@
 	static size_t stack_size = 0, stack_ptr = 0;
 
 	stack_ptr = 0;
+	PUSH(0);	/* Put a single FALSE onto the stack. This protects
+			 * against a segfault caused by simple rules. */
 
 	for (ip = 0; ip < code_length; ) {
 		c = NEXTCODE;
@@ -360,7 +362,7 @@
 
 				SHORTCIRCUIT;
 
-				PUSH (((mladdr & mask) == addr) ? 1 : 0);
+				PUSH (((mladdr & mask) == (addr & mask)) ? 1 : 0);
 				}
 				break;	
 			case BC_RADDR:
@@ -375,7 +377,7 @@
 
 				SHORTCIRCUIT;
 
-				PUSH (((mraddr & mask) == addr) ? 1 : 0);
+				PUSH (((mraddr & mask) == (addr & mask)) ? 1 : 0);
 				}
 				break;

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
Source: tcpspy
Source-Version: 1.7d-9

We believe that the bug you reported is fixed in the latest version of
tcpspy, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 616355@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joao Eriberto Mota Filho <eriberto@debian.org> (supplier of updated tcpspy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 16 Oct 2014 17:07:26 -0300
Source: tcpspy
Binary: tcpspy
Architecture: source amd64
Version: 1.7d-9
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Joao Eriberto Mota Filho <eriberto@debian.org>
Description:
 tcpspy     - Incoming and Outgoing TCP/IP connections logger
Closes: 616355 616473 617424
Changes:
 tcpspy (1.7d-9) unstable; urgency=medium
 .
   * QA upload.
   * Upload to unstable.
   * Fixed a FTBFS in some architectures. Thanks a lot to
     Luis Valdes <luisvaldes88@gmail.com>.
   * debian/control: updated the long description.
   * debian/copyright:
       - Migrated to 1.0 format.
       - Updated the upstream and packaging data.
   * debian/manpages: created to install all manpages.
   * debian/patches/:
       - Added the 'add_support_to_ipv6' patch, written by Mats Erik Andersson
         <debian@gisladisker.se> and reviewed by Joao Eriberto Mota Filho. This
         patch implements an previous patch from the same author too. Part of
         the patch was directly applied to debian/tcpspy.rules.5. Thanks a lot
         to Mats. (Closes: #616355, #616473)
       - Added the 'add_security' patch. Thanks again to Mats Erik Andersson
         <debian@gisladisker.se>. (Closes: #617424)
       - Updated the 'manpage' patch.
   * debian/tcpspy.8: removed because the upstream has a manpage too.
   * debian/tcpspy.init:
       - Added the 'Description' field to header.
       - Added a call to LSB init functions.
       - Added a test to check the '/etc/tcpspy.rules' file presence.
       - added the 'status' option.
Checksums-Sha1:
 08df890eae4b292739554917c730bacc02a2c883 1646 tcpspy_1.7d-9.dsc
 2faed868482b07de2a41ab7469219b64e7ab978f 12072 tcpspy_1.7d-9.debian.tar.xz
 878eefd97658a6748fd2a78fd397682fbb7b8066 31362 tcpspy_1.7d-9_amd64.deb
Checksums-Sha256:
 81d91ceceea6e7e88a7f60071335d9eaef33f403ae91729bc008f9f34c91bef5 1646 tcpspy_1.7d-9.dsc
 af66de7855250d6d15351d0ac18c11fe1976a70bcbb535d80ccd768ab120a077 12072 tcpspy_1.7d-9.debian.tar.xz
 54390783d2423de5b3d478917c219c20b6fb4d46f9b6a7d621771a122423d2f9 31362 tcpspy_1.7d-9_amd64.deb
Files:
 b41bd31202bc395227bf2e0c9dde2749 1646 net optional tcpspy_1.7d-9.dsc
 dcda6c5773086e9749c19d6385280354 12072 net optional tcpspy_1.7d-9.debian.tar.xz
 647ee93ca620f2a39c9522d4e85026ec 31362 net optional tcpspy_1.7d-9_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJURWUdAAoJEN5juccE6+nvo0QQAKWCs/NzaczR9er6c4ptrAet
I0e1ivdJoqdYmNI5ghQER+MOH70i+EKnq8iF8p9XaMtvH43FKP9gbNeZBVA6F3fJ
gLr7p2WYKgnX0i6Ahidlq3blBqqDy9ff+lp1suMc3tZfUe8Da8kBn2wu4ZjQvZOT
Kj9fOP73fyS69/Xd0vlcYUw4f8zzvzqMU4q+7kkE4dFDQBfH3kra1BCDP8PqIkfp
9b0iVYNAAnijV4T5swskiMzyN/flKAsiRRKB14HPqyoVKS/lAL0/JbS6caAK0szI
1BSzE40Euj9BQGVZv6exDAZSYCd96rBBvXLLUC1wI7Dcg9kJsnnGIgYJ7EFJOWzb
lyK5+dmeEuZpcxLWqggsrwBoOjkXCOyfZaObdPrmfX+b9DOwSAX4xDgnr+JPRWAG
ig1jAEvEeNpgGcj0tbwIlGCpTmHGh1eYfTSr7Yk85TNUUAxR7dSNNBaGWxsY+0wg
55Podeo3Q9ZOPVjy7RP7fOIqw9B2OHF5hiivMU47UnQrbiOyKpdx5pOzvDBoik14
tZIkIirzI0VLuyaBkitf7JxrTYrw0MSmTh4nOjdpDLGUZDXuxs8PK3NjITVXqjbq
tl2hMi+5wT3XnxgR+A+TrYqNoW9MdWzZHtS3/7iunhsbkMK5UT/8fK0qXiWBB59F
vKKWYRCU5IbqsW7Ip+G4
=IpOQ
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: