buffer overflow in UdpReceivingData() with SS5_VERBOSE and when compiled...
Brought to you by:
matteoricchetti
In source rpm in ss5.spec I changed
./configure --with-libpath=%{_libdir}
to
./configure CFLAGS="-g -O2 -D_FORTIFY_SOURCE=2" --with-libpath=%{_libdir}
/etc/opt/ss5/ss5.conf:
set SS5_VERBOSE auth 0.0.0.0/0 - -
Now child ss5 processes crash on the 1st UDP packet:
# *** buffer overflow detected ***: ss5 terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x3caa2fb2c7] /lib64/libc.so.6[0x3caa2f91c0] /lib64/libc.so.6[0x3caa2f88bb] /lib64/libc.so.6(__snprintf_chk+0x7a)[0x3caa2f878a] /usr/lib64/ss5/mod_proxy.so(UdpReceivingData+0x30b)[0x7f334261e20b] ss5(S5Core+0x2a51)[0x407b41] ss5(main+0x87e)[0x40421e] /lib64/libc.so.6(__libc_start_main+0xfd)[0x3caa21ec5d] ss5[0x4038d9] ======= Memory map: ======== ...
rhel-server-6.0-x86_64 (originally found this bug on Archlinux)
Test program attached.