[ofa-general] osmtest dies with SIGABRT / buffer overflow
Yevgeny Kliteynik
kliteyn at dev.mellanox.co.il
Tue Aug 26 13:11:59 PDT 2008
Hi Matthias,
Matthias Blankenhaus wrote:
> Howdy !
>
> I played around with osmtest and got it to a point where I can consistenly
> crash osmtest. Please, take a look at the following:
>
> OFED-1.3.1
> HW: X86_64
> OS: SLES10SP2
>
>
> Here is what I did to crash it:
>
> # osmtest -f c // works fine and creates osmtest.dat
> # osmtest -v // crashes ...
>
> ...
>
> Finally, looking at the code it looks like we have a buffer length
> problem:
>
> ...
>
> 755 sprintf(buf_service_key,
> 756 "0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
> 757 skey[0], skey[1], skey[2], skey[3], skey[4], skey[5],
> 758 skey[6], skey[7], skey[8], skey[9], skey[10], skey[11],
> 759 skey[12], skey[13], skey[14], skey[15]);
> ...
>
>
> The local variable 'buf_service_key' is 33 bytes long: 0..32. However,
> the format string from sprintf() is 2*16+2=34 bytes long. Thus we arrive
> at a buffer overflow. Not knowing much about this code the fix seems
> obvious: crank up the size of buf_service_key to 34.
>
You're right, looks like the leading "0x" was forgotten
when buffer length was calculated.
Thanks for the detailed analysis!
You also right about the fix - the short fix would be just
increasing the buffer size. The longer fix, however, would
be getting rid of the unnecessary sprintf usage completely.
In OFED 1.4 this code is already fixed (as well as all the
other places in opensm/osmtest where sprintf was used).
Anyway, I'll send an OFED 1.3.1 patch to Sasha - let's go
with the short fix :)
-- Yevgeny
>
> Cheers,
> Matthias
> _______________________________________________
> general mailing list
> general at lists.openfabrics.org
> http://lists.openfabrics.org/cgi-bin/mailman/listinfo/general
>
> To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
>
More information about the general
mailing list