Package: tcpick
Version: 0.2.1-6
This started out life as Ubuntu bug :
https://bugs.launchpad.net/ubuntu/+source/tcpick/+bug/1026902
The user reported that they can trigger a seg by running
tcpick -wRC -wRS -r afile.pcap
looking at write.c:avail_filename there are multiple problems:
servername=(char *)lookup(conn_ptr->server.ip);
sprintf(client_server,"%s_%s_%s",
client_server,
servername,
getportname(server_port)
);
is the line that segs; note that it's using a parameter (client_server)
as the output string; according to sprintf manpage this is sanely
disallowed in C99 (and on Ubuntu segs, how this ever works on debian
is beyond me....)
Secondly; client_server is a fixed length calloc'd buffer; I don't see
anything that's ensuring there are now overruns, especially given that
the names seem to be lookups in DNS(?) and textual portnames. (Although
perhaps it happens to be sized large enough based on allowed limits of those??)
Dave
--
-----Open up your eyes, open up your mind, open up your code -------
/ Dr. David Alan Gilbert | Running GNU/Linux | Happy \
\ gro.gilbert @ treblig.org | | In Hex /
\ _________________________|_____ http://www.treblig.org |_______/
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
