ArgusBug segfault on long -r

dbrumley at stanford.edu dbrumley at stanford.edu
Tue Mar 6 14:58:43 EST 2001 

>Description:
Argus copies the command line into a variable called cmdline.  cmdline
is a static buffer of size 4096.  No bounds checking is done on the
buffer, which may cause a segfault.

Specifically, the buffer will be overrun if a large number of files is
given on the command line.  Note this can be accomplished by
specifying a wildcard in a directory with a sufficient number of
files. In my case, we store netflow data files in 5 minute
increments.  The pathname plus the number of files was well over 4096.

>How-To-Repeat:
  create a lot of files and do a "./ra -r * -"

>Fix:
dbrumley at netops-10> diff argus_parse.h argus_parse.h.orig
181c181
< char *cmdline;        /* For David Brumley's amazingly long cmdlines ;o)
*/  ---
> char cmdline[MAXSTRLEN];      /* For David Brumley's amazingly long
cmdlines ;o) */  1296c1296
< extern char *cmdline;
---
> extern char cmdline [];
1357c1357
< extern char *cmdline; /* For David Brumley's amazingly long cmdlines ;o)
*/  ---
> extern char cmdline[MAXSTRLEN];       /* For David Brumley's amazingly
long cmdlines ;o) */

dbrumley at netops-10> diff argus_parse.c argus_parse.c.orig
221c221
<    int i, cc, op, retn = 0, fd = 0, Scmdline = 0, rcmdline = 0;
---
>    int i, op, retn = 0, fd = 0, Scmdline = 0, rcmdline = 0;
233,240d232
<
<    cc =0;
<
<    for(i=0; i<argc; i++)
<       cc+= strlen(argv[i]);
<
<    cmdline = (char *) malloc(sizeof(char) * (cc+argc+1));
<


i.e. count the strlen of each argument and add the number of arguments
because of the " " in the strcat in the copy command immediately following.


>Submitter-Id:  dbrumley
>Originator:
>Organization:
  stanford university
>Argus support: none
>Release:       argus-2.0
>Product:       ra
>Synopsis:      ra coredump on long command line
>Class:	        sw-bug
>Severity:      serious
>Priority:      medium

>Environment:

System:  SunOS flw-clt-master 5.7 Generic_106541-04 sun4u sparc SUNW,Ultra-4
Arch:    sun4

Paths:    /usr/local/bin/ra /usr/local/bin/make /usr/pubsw/bin/gmake
/usr/local/bin/gcc /usr/local/bin/cc


RA:      Ra Version 2.0.0.beta.8


GCC:     Reading specs from
/usr/local/lib/gcc-lib/sparc-sun-solaris2.7/2.8.1/specs gcc version 2.8.1

LIBC:
-rw-r--r--   1 bin      bin       1694308 Nov  2 22:06 /lib/libc.a
lrwxrwxrwx   1 root     root           11 May 13  1999 /lib/libc.so ->
./libc.so.1 -rwxr-xr-x   1 bin      bin       1115940 Nov  2 22:06
/lib/libc.so.1 -rw-r--r--   1 bin      bin       1694308 Nov  2 22:06
/usr/lib/libc.a lrwxrwxrwx   1 root     root           11 May 13  1999
/usr/lib/libc.so -> ./libc.so.1 -rwxr-xr-x   1 bin      bin       1115940
Nov  2 22:06 /usr/lib/libc.so.1








---------- End Forwarded Message ----------



---
Jeffrey T. Eaton                    esp              jeaton+ at andrew.cmu.edu
Research Systems Programmer                      Carnegie-Mellon University

More information about the argus mailing list