Package: nvram-wakeup Version: 0.99b-1 Severity: normal Tags: patch User: [email protected] Usertags: origin-ubuntu karmic ubuntu-patch
Hello! When compiled with hardening-wrapper[1] enabled (or compiled with Ubuntu's compiler), nvram-wakeup will always crash due to a 1-byte buffer overflow in the xxd() function. The attached patch solves the problem. Upstream bug report: https://sourceforge.net/tracker/?func=detail&aid=2782757&group_id=35022&atid=412755 Ubuntu bug: https://bugs.launchpad.net/bugs/370261 Thanks! -Kees [1] http://wiki.debian.org/Hardening -- Kees Cook @debian.org
Description: fix the 1-byte buffer overflow in xxd() Author: Kees Cook <[email protected]> Ubuntu: https://bugs.edge.launchpad.net/bugs/370261 Upstream: https://sourceforge.net/tracker/?func=detail&aid=2782757&group_id=35022&atid=412755 --- nvram-wakeup-0.99b.orig/tools.c +++ nvram-wakeup-0.99b/tools.c @@ -30,6 +30,7 @@ #include <errno.h> #include <string.h> #include <ctype.h> +#include <assert.h> #include "nvram-wakeup.h" @@ -163,7 +164,7 @@ void xxd(unsigned char * bytes, int size, int loglevel) { int i,pos; - char out_line[49]; + char out_line[50]; for (i=0;i<=((size-1) / 16);i++) { sprintf(out_line, "%06X0: %02X%02X %02X%02X %02X%02X %02X%02X %02X%02X %02X%02X %02X%02X %02X%02X\n", i, @@ -173,6 +174,7 @@ bytes[16*i+12], bytes[16*i+13], bytes[16*i+14], bytes[16*i+15] ); if (size < (i+1)*16 ) { pos = ((size&0xF)>>1)*5 + (size&1)*3 + 8; + assert(pos+1 < 50); out_line[pos]='\n'; out_line[pos+1]=0; }
