[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TFTP client crash seems to be caused by missing bounds check in make

From: Simon Josefsson
Subject: Re: TFTP client crash seems to be caused by missing bounds check in makeargv()
Date: Tue, 06 Sep 2022 20:05:04 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)

Erik Auerswald <auerswal@unix-ag.uni-kl.de> writes:

> Hi,
> On 04.09.22 17:34, Erik Auerswald wrote:
>> On 03.09.22 19:07, Erik Auerswald wrote:
>>> On Sat, Sep 03, 2022 at 05:39:45PM +0200, Simon Josefsson wrote:
>>>> [...]
>>>> did you notice some fuzzing report that wasn't fixed?
>>> [...]
>>> * Problems found in tftp (the code did not change since the report):
>>>    * Untrusted Pointer Dereference in getcmd() at
>>> inetutils/src/tftp.c:878
>>>      https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00018.html
>> That seems to be a missing bounds check in makeargv(), similar
>> to the old, now fixed, code in telnet.
>> I'll look into creating a nice reproducer instead of the one
>> found by the fuzzer, adding a test case, and fixing the bug.
> That is harder than expected….  Is there a reason *not* to use
> the crash input found by the fuzzer in a test for GNU Inetutils?

More testing would be great!  Integrating oss-fuzz would be too...

Re BSD tools: perhaps one way to proceed here is to start to sync code
so we at least have similar code bases to look at?  Maybe we can find
some code that is sufficiently similar so that we can simply setup
scripts to keep the code in sync for the future.  And hopefully make the
set of code that is kept in sync automatically larger and larger.  The
CVE-2019-0053 bug we discovered now was fixed in FreeBSD back in 2005...
I'm sure there are plenty of more discoveries like this waiting for us.
Having more code in sync helps with this.


Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]