Socks Server 5 / Bugs / #73 buffer overflow in UdpReceivingData() with SS5_VERBOSE and when compiled with -O2 -D_FORTIFY

#73 buffer overflow in UdpReceivingData() with SS5_VERBOSE and when compiled with -O2 -D_FORTIFY_SOURCE=2

Milestone: v1.0 (example)

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2014-07-12

Created: 2013-10-29

Creator: Ilya Basin

Private: No

In source rpm in ss5.spec I changed

./configure --with-libpath=%{_libdir}

./configure CFLAGS="-g -O2 -D_FORTIFY_SOURCE=2" --with-libpath=%{_libdir}

/etc/opt/ss5/ss5.conf:

set SS5_VERBOSE
auth 0.0.0.0/0 - -

Now child ss5 processes crash on the 1st UDP packet:

# *** buffer overflow detected ***: ss5 terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x3caa2fb2c7]
/lib64/libc.so.6[0x3caa2f91c0]
/lib64/libc.so.6[0x3caa2f88bb]
/lib64/libc.so.6(__snprintf_chk+0x7a)[0x3caa2f878a]
/usr/lib64/ss5/mod_proxy.so(UdpReceivingData+0x30b)[0x7f334261e20b]
ss5(S5Core+0x2a51)[0x407b41]
ss5(main+0x87e)[0x40421e]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x3caa21ec5d]
ss5[0x4038d9]
======= Memory map: ========
...

rhel-server-6.0-x86_64 (originally found this bug on Archlinux)

Test program attached.

1 Attachments

test.c

buffer overflow in UdpReceivingData() with SS5_VERBOSE and when compiled...

Group

Searches

Help

#73 buffer overflow in UdpReceivingData() with SS5_VERBOSE and when compiled with -O2 -D_FORTIFY_SOURCE=2

Discussion