#48 ifconfig buffer overflow in ax25 and netrom

[Bernard Pidoux]

Installing AX25 on Ubuntu created ax0 and rose0 devices.

IP address says :
8: ax0: <broadcast,up,lower_up> mtu 253 qdisc pfifo_fast state UNKNOWN group default qlen 10
link/ax25 F6BVP-12 brd QST-0 permaddr LINUX-1
9: rose0: <noarp,up,lower_up> mtu 251 qdisc noqueue state UNKNOWN group default qlen 1000
link/rose 2080835201 brd 0000000000</noarp,up,lower_up></broadcast,up,lower_up>

./ipmaddr says :
....
8: ax0
inet 224.0.0.1
9: rose0
inet 224.0.0.1

ifconfig rose0 says :
./ifconfig rose0
rose0: flags=193<up,running,noarp> mtu 251
rose 2080835201 txqueuelen 1000 (AMPR ROSE)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</up,running,noarp>

However ifconfig ax0 reports :
ax0: flags=67<up,broadcast,running> mtu 253
*** buffer overflow detected ***: terminated
Abandon (core dumped)</up,broadcast,running>

Downloaded sourceforge
./ifconfig --version
net-tools 3.14-alpha

Make with -ggdb2 and runing gdb ifconfig rose0 or ax0
(gdb) run
Starting program: /home/bernard/Téléchargements/net-tools-code-20a78e06a69bd9b6b4e15468201d5d3aa9c395db/ifconfig
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ax0: flags=67<up,broadcast,running> mtu 253
*** buffer overflow detected ***: terminated</up,broadcast,running>

Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out="">) at ./nptl/pthread_kill.c:44
warning: 44 ./nptl/pthread_kill.c: Aucun fichier ou dossier de ce nom
(gdb) </optimized>

What can be done to go further and find source of buffer overflow ?

Bernard, f6bvp

[Bernard Pidoux]

Where :

(gdb) where
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007ffff7c4526e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007ffff7c288ff in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff7c297b6 in __libc_message_impl (fmt=fmt@entry=0x7ffff7dce765 "*** %s ***: terminated\n")
    at ../sysdeps/posix/libc_fatal.c:132
#6  0x00007ffff7d36c19 in __GI___fortify_fail (msg=msg@entry=0x7ffff7dce74c "buffer overflow detected")
    at ./debug/fortify_fail.c:24
#7  0x00007ffff7d365d4 in __GI___chk_fail () at ./debug/chk_fail.c:28
#8  0x00007ffff7c889f0 in __vsprintf_internal (string=<optimized out>, maxlen=<optimized out>, 
    format=<optimized out>, args=args@entry=0x7fffffffde30, mode_flags=mode_flags@entry=6)
    at ./libio/iovsprintf.c:67
#9  0x00007ffff7d37e6f in ___sprintf_chk (s=<optimized out>, flag=flag@entry=2, slen=<optimized out>, 
    format=format@entry=0x55555555ff67 "-%d") at ./debug/sprintf_chk.c:40
#10 0x000055555555a172 in sprintf (__fmt=0x55555555ff67 "-%d", __s=<optimized out>)
    at /usr/include/x86_64-linux-gnu/bits/stdio2.h:30
#11 AX25_print (ptr=<optimized out>) at ax25.c:63
#12 0x000055555555bfd4 in ife_print_long (ptr=0x5555555673c0) at interface.c:869
#13 0x000055555555c73d in ife_print (i=0x5555555673c0) at interface.c:953
#14 do_if_print (ife=0x5555555673c0, cookie=0x5555555635c8 <opt_a>) at interface.c:590
#15 0x000055555555b720 in for_all_interfaces (doit=0x55555555c6f0 <do_if_print>, 
    cookie=cookie@entry=0x5555555635c8 <opt_a>) at interface.c:145
#16 0x0000555555557b41 in if_print (ifname=0x0) at ifconfig.c:108
#17 main (argc=<optimized out>, argv=0x7fffffffe350) at ifconfig.c:327
(gdb) 

[Bernd Eckenfels]

looks like the snprintf in ax should be easy tonfund with your contributed info, 2ill let you know.

is that some malicious host or just regilsr enabled kernel? has it aftually such hardware? maybe you can share the related proc files, meanwhile?

thanks ait for reporting!

[Bernard Pidoux]

Correction : gdb --args ./ifconfig rose0 is OK!
(gdb) run
Starting program: /home/bernard/Téléchargements/net-tools-code-20a78e06a69bd9b6b4e15468201d5d3aa9c395db/ifconfig rose0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
rose0: flags=193<up,running,noarp> mtu 251
rose 2080835201 txqueuelen 1000 (AMPR ROSE)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</up,running,noarp>

[Inferior 1 (process 48135) exited normally]
(gdb)

[Bernard Pidoux]

Removing -O2 in makefile solved the bug. I don't see why.
./ifconfig ax0
ax0: flags=67<up,broadcast,running> mtu 253
ax25 F6BVP-12 txqueuelen 10 (AMPR AX.25)
RX packets 23 bytes 529 (529.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 425 bytes 7868 (7.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</up,broadcast,running>

[f4klo]

Hi,
In bug submission it is recommanded to provide application version.
This is what is shown when command line - -version is :

./ifconfig --version
net-tools 3.14-alpha

[Bernard Pidoux]

Bug solved !

Increasing buff[] size by one solved the issue
while keeping -O2 optimize compile option that is probably over optimizing strlen !

Here is diff file :

--- a/lib/ax25.c    2023-06-29 11:16:10.000000000 +0200
+++ b/lib/ax25.c    2024-08-30 12:40:37.989684153 +0200
@@ -49,7 +49,7 @@ extern struct aftype ax25_aftype;

 static const char *AX25_print(const char *ptr)
 {
-    static char buff[8];
+    static char buff[9];
     int i;

     for (i = 0; i < 6; i++) {

By the way :

Linux Ubuntu-2404 6.8.0-41-generic #41-Ubuntu SMP PREEMPT_DYNAMIC Fri Aug 2 20:41:06 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

gcc version 13.2.0 (Ubuntu 13.2.0-23ubuntu4)

Regards,

Bernard, f6bvp / ai7bg

[Martin Cooper]

Not sufficient. 6-character callsign + "-" + 2-digit SSID + terminating "\0" = 10 characters.

[Bernard Pidoux]

Proof :

bernard@Ubuntu-2404:~$ ifconfig ax0
ax0: flags=67<up,broadcast,running> mtu 253
ax25 F6BVP-12 txqueuelen 10 (AMPR AX.25)
RX packets 379 bytes 14816 (14.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 13999 bytes 991325 (968.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</up,broadcast,running>

[Bernard Pidoux]

bernard@Ubuntu-2404:~$ ifconfig --version
net-tools 3.14-alpha
bernard@Ubuntu-2404:~$

[Mike Frysinger]

increasing buffer to 9 bytes is insufficient. the sprintf call can write up to 10 bytes.
i = ((ptr[6] & 0x1E) >> 1); can be 2 digits which means the sprintf will write 4 bytes and since it always does it at offset 6, we need 10.

would be good to simplify the sprintf code a little too while at it.

-   sprintf(&buff[strlen(buff)], "-%d", i);
+   sprintf(buff + 6, "-%d", i);

[Bernard Pidoux]

Mike,
I patched ax25.c and it compiles and works perfectly.
Thanks a lot for your suggestions. I learned something !

./ifconfig ax0
ax0: flags=67<up,broadcast,running> mtu 253
ax25 F6BVP txqueuelen 10 (AMPR AX.25)
RX packets 13 bytes 285 (285.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 100 bytes 3246 (3.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</up,broadcast,running>

[Bernard Pidoux]

diff -pruN a/lib/ax25.c b/lib/ax25.c
--- a/lib/ax25.c 2023-06-29 11:16:10.000000000 +0200
+++ b/lib/ax25.c 2024-09-01 17:23:33.411623086 +0200
@@ -49,7 +49,7 @@ extern struct aftype ax25_aftype;

static const char AX25_print(const char ptr)
{
- static char buff[8];
+ static char buff[10];
int i;

 for (i = 0; i < 6; i++) {

@@ -60,7 +60,7 @@ static const char *AX25_print(const char
buff[6] = '\0';
i = ((ptr[6] & 0x1E) >> 1);
if (i != 0)
- sprintf(&buff[strlen(buff)], "-%d", i);
+ sprintf(buff + 6, "-%d", i);
return (buff);
}

[Bernd Eckenfels]

i dont think it works without strlen the first part can be up to 6, in the example from Bernard it is only 5. we could exit the loop and use i instead of strlen, though.

[Mike Frysinger]

thanks, i thought the loop always wrote out 6 bytes followed by the NUL, but didn't read it closely enough.

[Bernard Pidoux]

I agree that strlen(buff) is needed.
However AX25_print() must return a char *
In print function i = ptr[6] is used to get the callsign SSID value that can take from 0 to 15.
Thus callsign have a variable length and IMHO strlen(buff) seems more correct and should be kept.

--- a/lib/ax25.c 2023-06-29 11:16:10.000000000 +0200
+++ b/lib/ax25.c 2024-09-02 00:22:10.909106399 +0200
@@ -49,7 +49,7 @@ extern struct aftype ax25_aftype;

static const char AX25_print(const char ptr)
{
- static char buff[8];
+ static char buff[10];
int i;

 for (i = 0; i < 6; i++) {

[David Ranch]

Hello everyone, KD6YAM and I recently noticed this issue in Linux Mint 22.1 and Ubuntu 24.04.2 as of 06/23/25. Please note that special event callsigns in different countries can get quite long plus the two digit SSID. See https://ham.stackexchange.com/questions/10339/which-country-s-hams-have-the-longest-call-signs for some ideas but the field could get quite long with say 3 char + 2 number + 4 char + 2 number SSID == 11 char total + 1 null terminator byte or 12 bytes minimum w/o any consideration for min or max data structure requirements.

I can personally work around this with just just using the iproute2 "ip" tools but it would be good to get the classic ifconfig tool fixed.

[Bernard Pidoux]

Hi David,
Special hamradio callsigns that have more than 6 characters cannot be handled by any AX25 application.
AX25 protocol has been adopted in the 80s and the callsigns maximum number of characters was set to 6. A seventh character (shifted ASCII) is reserved for SSID from 0 to 15).
All these limitations cannot be changed specially now that AX25 is less supported.

73 de Bernard F6BVP / AI7BG

[Martin Cooper]

A 7th byte is allocated for the SSID, which, as you note, can be a 2-digit number, so the SSID can be one or two digits, plus the separating dash. That's potentially 3 characters in addition to the 6-character callsign, plus a trailing "\0", requiring a 10-character buffer, not the 8 characters currently in the code.

[Bernard Pidoux]

Hi David,
Thank you for confirming the bug of buffer overflow in ifconfig for AX25_print().
As I first noticed removing -O2 in makefile solved the bug.

In lib/ax25.c T increasing the buffer by one byte from 8 to 9 :

50 static const char AX25_print(const char ptr)
51 {
52 static char buff[9];

succeeded in preventing optimizing compilation tool to induce a buffer overflow and program abort.

I hope this will be accepted soon now that you observed the same bug.

73 d Bernard, f6bvp

[Bernd Eckenfels]

thanks for debugging, will make sure that buffer cant overflow in the future. can you maybe add your /proc/net/ax25 file for testing (not sure that actually works without ioctl, but at least i can validate the kernel version view)

[Bernard Pidoux]

Hi Bernd,

Once again the buffer overflow is clearly related to  -O2 option while
compiling ifconfig.c

For some reason the compiler is taking some liberties in reducing the
size of a buffer.

Here are three /proc/net/ax25 files coming from three different active
AX.25 neighbour node stations :

73s de Bernard, f6bvp / ai7bg

Le 24/06/2025 à 18:14, Bernd Eckenfels a écrit :

thanks for debugging, will make sure that buffer cant overflow in the
future. can you maybe add your /proc/net/ax25 file for testing (not
sure that actually works without ioctl, but at least i can validate
the kernel version view)

---

[bugs:#48] https://sourceforge.net/p/net-tools/bugs/48/ ifconfig
buffer overflow (net-tools 3.14-alpha)

Status: open
Group: BETA-1.65-UPSTREAM
Created: Wed Aug 28, 2024 06:46 PM UTC by Bernard Pidoux
Last Updated: Tue Jun 24, 2025 02:25 PM UTC
Owner: nobody

Installing AX25 on Ubuntu created ax0 and rose0 devices.

IP address says :
8: ax0: <broadcast,up,lower_up> mtu 253 qdisc pfifo_fast state UNKNOWN
group default qlen 10
link/ax25 F6BVP-12 brd QST-0 permaddr LINUX-1
9: rose0: <noarp,up,lower_up> mtu 251 qdisc noqueue state UNKNOWN
group default qlen 1000
link/rose 2080835201 brd
0000000000</noarp,up,lower_up></broadcast,up,lower_up>

./ipmaddr says :
....
8: ax0
inet 224.0.0.1
9: rose0
inet 224.0.0.1

ifconfig rose0 says :
./ifconfig rose0
rose0: flags=193<up,running,noarp> mtu 251
rose 2080835201 txqueuelen 1000 (AMPR ROSE)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</up,running,noarp>

However ifconfig ax0 reports :
ax0: flags=67<up,broadcast,running> mtu 253
*** buffer overflow detected ***: terminated
Abandon (core dumped)</up,broadcast,running>

Downloaded sourceforge
./ifconfig --version
net-tools 3.14-alpha

Make with -ggdb2 and runing gdb ifconfig rose0 or ax0
(gdb) run
Starting program:
/home/bernard/Téléchargements/net-tools-code-20a78e06a69bd9b6b4e15468201d5d3aa9c395db/ifconfig

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ax0: flags=67<up,broadcast,running> mtu 253
*** buffer overflow detected ***: terminated</up,broadcast,running>

Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out="">) at ./nptl/pthread_kill.c:44
warning: 44 ./nptl/pthread_kill.c: Aucun fichier ou dossier de ce nom
(gdb) </optimized>

What can be done to go further and find source of buffer overflow ?

Bernard, f6bvp

---

Sent from sourceforge.net because you indicated interest in
https://sourceforge.net/p/net-tools/bugs/48/

To unsubscribe from further messages, please visit
https://sourceforge.net/auth/subscriptions/

[Bernard Pidoux]

Hi Bernd,

Once again the buffer overflow is clearly related to -O2 option while compiling ifconfig.c
For some reason the compiler is taking some liberties in reducing the size of a buffer.
Here are three /proc/net/ax25 files coming from three different active AX.25 neighbour node stations :

73s de Bernard, f6bvp / ai7bg

[Martin Cooper]

This is not related to compiler optimizations. The buffer in AX25_print is just too short, plain and simple. On this line:

https://sourceforge.net/p/net-tools/code/ci/master/tree/lib/ax25.c#l52

a buffer of 8 characters is allocated. The code then proceeds to unpack an AX.25 address into that buffer. Let's say the address is my callsign, with an SSID. That might be "KD6YAM-11", for example. Along with a trailing "\0", that needs a buffer of 10 bytes. Trying to use a buffer of 8 bytes will cause buffer overflow, on this line, as the SSID is added to the buffer:

https://sourceforge.net/p/net-tools/code/ci/master/tree/lib/ax25.c#l63

The 8-byte buffer simply needs to be expanded to accommodate a full AX.25 address. All that's needed is to change '8' to, say, '12' on line #52, and the buffer overflow, and crash, will be fixed.

[Bernd Eckenfels]

thanks for the files Bernard, do all 3 stations crash?
i would agree woth Martin, its not q optimizer problem, but those optimisations are know to chqmge the packing qnd therefore can trigger crashes more easily. but fixing the overflow should be enough to avoid it.

[Bernard Pidoux]

I finally agree with Martin that printing AX25 callsign needs a 10 characters buffer.
Presently none of the three stations are experiencing ifconfig craches.
Their ax0 interface callsigns have no more than 5 characters plus SSID of one or two characters.
F6BVP-8, F6BVP-10 and F6KKR-10.
In order to test my own station I set ax0 interface callsign to maximum AX25 size (6 characters + 2 digits SSID) and it did not induce any crash (TM6BVP-10).
System is a RaspBerry Pi
~$ cat /proc/version
Linux version 6.12.33-v8+ (dom@buildbot) (aarch64-linux-gnu-gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #1888 SMP PREEMPT Wed Jun 18 12:34:33 BST 2025