arpwatch terminated with buffer overflow
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| arpwatch (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
A server that had been running arpwatch on Ubuntu LTS 10.04 was upgraded to LTS 12.04.1. Following this arpwatch is terminated after running for a few seconds with:
*** buffer overflow detected ***: /usr/sbin/arpwatch terminated
Prior to being terminated, it appears to run as usual, with new stations being detected and logged to syslog.
As well as purging and re-installing, I have also tried installing arpwatch to another server running 12.04.1 with i386 architecture, and to a freshly installed (not updated from a previous release) 12.10 desktop and all exhibit the same behaviour whereby arpwatch terminates after a few seconds operation.
Normally I run arpwatch with an added -Q flag to suppress email notifications, but have reverted to the default flags (-N -p) but this does not address the issue.
# lsb_release -rd
Description: Ubuntu 12.04.1 LTS
Release: 12.04
# apt-cache policy arpwatch
arpwatch:
Installed: 2.1a15-
Candidate: 2.1a15-
Version table:
*** 2.1a15-
500 http://
500 http://
100 /var/lib/
2.1a15-1.1 0
500 http://
What should happen: arpwatch should run until stopped
What does happen: arpwatch is terminated
Related branches
| Steve Kersley (steve-kersley) wrote | #1 |
| Launchpad Janitor (janitor) wrote | #2 |
| Changed in arpwatch (Ubuntu): | |
| status: | New → Fix Released |
Watching ARP traffic with tcpdump while running arpwatch has narrowed this down to an overflow within name resolution functions.
On every instance that arpwatch terminated, I found that the next ARP packet involved a particular host that had an excessively long hostname in the DNS - 37 characters, or 55 as a fully qualified hostname, which I'm assuming is overflowing some buffer.
While this problem is therefore unlikely to affect many others, there clearly is code that is writing data into a buffer that is of insufficent size:
In db.c, in function elist_alloc() (line 297 in current revision) strcpy is being used to write the hostname into a fixed length char[34] (defined in struct einfo{}, line 65 same file) with no checking of size. This looks to be a simple fix, but currently don't have time to learn the debian/ubuntu development methodologies to submit a patch, so have renamed my excessive hostname and hopefully the maintainer can at some point change the strcpy to a strncpy. (I note that a couple of lines below, the storing of the interface name is done with strncpy...)