Installing AX25 on Ubuntu created ax0 and rose0 devices.
IP address says :
8: ax0: <broadcast,up,lower_up> mtu 253 qdisc pfifo_fast state UNKNOWN group default qlen 10
link/ax25 F6BVP-12 brd QST-0 permaddr LINUX-1
9: rose0: <noarp,up,lower_up> mtu 251 qdisc noqueue state UNKNOWN group default qlen 1000
link/rose 2080835201 brd 0000000000</noarp,up,lower_up></broadcast,up,lower_up>
./ipmaddr says :
....
8: ax0
inet 224.0.0.1
9: rose0
inet 224.0.0.1
ifconfig rose0 says :
./ifconfig rose0
rose0: flags=193<up,running,noarp> mtu 251
rose 2080835201 txqueuelen 1000 (AMPR ROSE)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</up,running,noarp>
However ifconfig ax0 reports :
ax0: flags=67<up,broadcast,running> mtu 253
*** buffer overflow detected ***: terminated
Abandon (core dumped)</up,broadcast,running>
Downloaded sourceforge
./ifconfig --version
net-tools 3.14-alpha
Make with -ggdb2 and runing gdb ifconfig rose0 or ax0
(gdb) run
Starting program: /home/bernard/Téléchargements/net-tools-code-20a78e06a69bd9b6b4e15468201d5d3aa9c395db/ifconfig
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ax0: flags=67<up,broadcast,running> mtu 253
*** buffer overflow detected ***: terminated</up,broadcast,running>
Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out="">) at ./nptl/pthread_kill.c:44
warning: 44 ./nptl/pthread_kill.c: Aucun fichier ou dossier de ce nom
(gdb) </optimized>
What can be done to go further and find source of buffer overflow ?
Bernard, f6bvp
Where :
Last edit: Mike Frysinger 2024-09-01
looks like the snprintf in ax should be easy tonfund with your contributed info, 2ill let you know.
is that some malicious host or just regilsr enabled kernel? has it aftually such hardware? maybe you can share the related proc files, meanwhile?
thanks ait for reporting!
Last edit: Bernd Eckenfels 2024-08-28
Correction : gdb --args ./ifconfig rose0 is OK!
(gdb) run
Starting program: /home/bernard/Téléchargements/net-tools-code-20a78e06a69bd9b6b4e15468201d5d3aa9c395db/ifconfig rose0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
rose0: flags=193<up,running,noarp> mtu 251
rose 2080835201 txqueuelen 1000 (AMPR ROSE)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</up,running,noarp>
[Inferior 1 (process 48135) exited normally]
(gdb)
Removing -O2 in makefile solved the bug. I don't see why.
./ifconfig ax0
ax0: flags=67<up,broadcast,running> mtu 253
ax25 F6BVP-12 txqueuelen 10 (AMPR AX.25)
RX packets 23 bytes 529 (529.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 425 bytes 7868 (7.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</up,broadcast,running>
Hi,
In bug submission it is recommanded to provide application version.
This is what is shown when command line - -version is :
./ifconfig --version
net-tools 3.14-alpha
Last edit: Mike Frysinger 2024-09-01
Bug solved !
Increasing buff[] size by one solved the issue
while keeping -O2 optimize compile option that is probably over optimizing strlen !
Here is diff file :
By the way :
Linux Ubuntu-2404 6.8.0-41-generic #41-Ubuntu SMP PREEMPT_DYNAMIC Fri Aug 2 20:41:06 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
gcc version 13.2.0 (Ubuntu 13.2.0-23ubuntu4)
Regards,
Bernard, f6bvp / ai7bg
Last edit: Mike Frysinger 2024-09-01
Proof :
bernard@Ubuntu-2404:~$ ifconfig ax0
ax0: flags=67<up,broadcast,running> mtu 253
ax25 F6BVP-12 txqueuelen 10 (AMPR AX.25)
RX packets 379 bytes 14816 (14.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 13999 bytes 991325 (968.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</up,broadcast,running>
bernard@Ubuntu-2404:~$ ifconfig --version
net-tools 3.14-alpha
bernard@Ubuntu-2404:~$
increasing buffer to 9 bytes is insufficient. the sprintf call can write up to 10 bytes.
i = ((ptr[6] & 0x1E) >> 1);
can be 2 digits which means the sprintf will write 4 bytes and since it always does it at offset 6, we need 10.would be good to simplify the sprintf code a little too while at it.
Mike,
I patched ax25.c and it compiles and works perfectly.
Thanks a lot for your suggestions. I learned something !
./ifconfig ax0
ax0: flags=67<up,broadcast,running> mtu 253
ax25 F6BVP txqueuelen 10 (AMPR AX.25)
RX packets 13 bytes 285 (285.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 100 bytes 3246 (3.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</up,broadcast,running>
diff -pruN a/lib/ax25.c b/lib/ax25.c
--- a/lib/ax25.c 2023-06-29 11:16:10.000000000 +0200
+++ b/lib/ax25.c 2024-09-01 17:23:33.411623086 +0200
@@ -49,7 +49,7 @@ extern struct aftype ax25_aftype;
static const char AX25_print(const char ptr)
{
- static char buff[8];
+ static char buff[10];
int i;
@@ -60,7 +60,7 @@ static const char *AX25_print(const char
buff[6] = '\0';
i = ((ptr[6] & 0x1E) >> 1);
if (i != 0)
- sprintf(&buff[strlen(buff)], "-%d", i);
+ sprintf(buff + 6, "-%d", i);
return (buff);
}
i dont think it works without strlen the first part can be up to 6, in the example from Bernard it is only 5. we could exit the loop and use i instead of strlen, though.
thanks, i thought the loop always wrote out 6 bytes followed by the NUL, but didn't read it closely enough.
I agree that strlen(buff) is needed.
However AX25_print() must return a char *
In print function i = ptr[6] is used to get the callsign SSID value that can take from 0 to 15.
Thus callsign have a variable length and IMHO strlen(buff) seems more correct and should be kept.
--- a/lib/ax25.c 2023-06-29 11:16:10.000000000 +0200
+++ b/lib/ax25.c 2024-09-02 00:22:10.909106399 +0200
@@ -49,7 +49,7 @@ extern struct aftype ax25_aftype;
static const char AX25_print(const char ptr)
{
- static char buff[8];
+ static char buff[10];
int i;