Package: iproute
Version: 20041019-1
Severity: serious
Tags: patch
When tc/normal.c is populating the table that it callocs, it is possible
that it will get TABLESIZE for an answer, and thereby overrun the
table. Depending on glibc's mood, this may or may not cause the library
to abort the detected heap corruption.
Additionally, the arguments to calloc are backwards.
The patch below fixes this.
lamont
=================================================================
#! /bin/sh /usr/share/dpatch/dpatch-run
## normal.dpatch by LaMont Jones <[EMAIL PROTECTED]>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Correct calloc call in normal to avoid running off the end of the
## DP: table.
@DPATCH@
diff -urNad iproute-20041019/tc/normal.c
/tmp/dpep.eEsnGf/iproute-20041019/tc/normal.c
--- iproute-20041019/tc/normal.c 2004-10-19 14:49:02.000000000 -0600
+++ /tmp/dpep.eEsnGf/iproute-20041019/tc/normal.c 2005-09-06
14:42:16.000000000 -0600
@@ -26,7 +26,7 @@
double x, *table;
int i, n;
- table = calloc(sizeof(double), TABLESIZE);
+ table = calloc(TABLESIZE+1, sizeof(double));
if (!table) {
fprintf(stderr, "Not enough memory\n");
return 1;
=================================================================
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages iproute depends on:
ii libc6 2.3.5-0ubuntu1 GNU C Library: Shared libraries an
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
