pkgsrc-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

pkg/57786: tcp_wrappers cause core dump when encountering certain remote system misconfiguration



>Number:         57786
>Category:       pkg
>Synopsis:       tcp_wrappers cause core dump when encountering certain remote system misconfiguration
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Dec 19 04:40:00 +0000 2023
>Originator:     Geoff Adams
>Release:        trunk
>Organization:
>Environment:
SunOS catbus.kempt.net 5.11 joyent_20221103T001803Z i86pc i386 i86pc illumos
>Description:
Binaries that link libwrap are susceptible to crashing with SIGSEGV when a remote host initiates a connection. Specifically, if tcp_wrappers detects that the remote host name does not map to its initial address, then it will attempt to log a message ("host name/address mismatch: %s != %.*s") and crash doing it. This makes binaries vulnerable to denial of service due to remote host (DNS) (mis)configuration.

This may only happen when HAVE_IPV6 is enabled. It's caused by a missing #include of <arpa/inet.h>, causing the compiler to guess inet_ntop's return type is int, rather than char *, resulting in invalid pointer handling and a subsequent SIGSEGV.

Here is an imapd stack trace from a core dump after such a crash:

 fffffc7feefb5ab0 strlen () + 30
 fffffc7fef00cfd9 vsnprintf (fffffc7fffdfb67f, 4c1, fffffc7fffdfb230, fffffc7fffdfc000) + 79
 fffffc7feefef9ba vsyslog (3, fffffc7fffdfbba0, fffffc7fffdfc000) + 2ca
 fffffc7fcdbc9cba tcpd_diag.constprop.0 () + 6a
 fffffc7fcdbc9db6 tcpd_warn (fffffc7fcdbca248) + b6
 fffffc7fcdbc890a sock_hostname (fffffc7fffdfd180) + 22a
 fffffc7fcdbc7ee6 eval_hostname (fffffc7fffdfd180) + 46
 fffffc7fcdbc65e0 host_match (fffffc7fffdfc6e5, fffffc7fffdfd180) + 280
 fffffc7fcdbc606b list_match (fffffc7fffdfc6e4, fffffc7fffdfd070, fffffc7fcdbc6850) + 4b
 fffffc7fcdbc6252 table_match (fffffc7fcdbcab21, fffffc7fffdfd070) + 142
 fffffc7fcdbc69d0 hosts_access (fffffc7fffdfd070) + 60
 000000000044db6d main () + 9cd
 0000000000418e97 _start_crt () + 87
 0000000000418df8 _start () + 18

And here are the relevant lines in socket.c starting at line 220:

            /*
             * The host name does not map to the initial address. Perhaps
             * someone has messed up. Perhaps someone compromised a name
             * server.
             */
            tcpd_warn("host name/address mismatch: %s != %.*s",
#ifdef HAVE_IPV6
                      inet_ntop(SGFAM(sin), SGADDRP(sin), buf, sizeof(buf)),
#else
                      inet_ntoa(sin->sg_sin.sin_addr),
#endif
                      STRING_LENGTH, hp->h_name);

Adding `#include <arpa.inet.h>` to socket.c cures the problem. I have attached a change that adds a new patch file for the package that fixes the problem. I have been running with this patch for about a day, now, and the problem is completely solved. Indeed, the relevant message has been logged many times, such as:

2023-12-18T19:47:04-05:00 catbus imap[90607]: [ID 895039 local6.error] warning: /etc/hosts.allow, line 1: host name/address mismatch: 27.78.5.41 != localhost

In my patch, I have not wrapped the inclusion of <arpa/inet.h> in #ifdef HAVE_IPv6, because the header should be included for IPv4 functions such as inet_ntoa, as well. I believe the header should always be included.

Notice that the same problem has also been noticed in RedHat Linux: https://bugzilla.redhat.com/show_bug.cgi?id=977995
>How-To-Repeat:
Link a binary with libwrap and IPv6 support, and deploy it on the internet, with /etc/hosts.allow and /etc/hosts.deny set up. Sooner or later, depending on the nature of external traffic connecting to the service, the binary will crash with SIGSEGV. I have not boiled it down to a simpler test case, because it depends on the connecting host's DNS setup being incorrect.
>Fix:
Index: distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/security/tcp_wrappers/distinfo,v
retrieving revision 1.20
diff -u -u -r1.20 distinfo
--- distinfo    26 Oct 2021 11:18:04 -0000      1.20
+++ distinfo    19 Dec 2023 04:28:44 -0000
@@ -12,3 +12,4 @@
 SHA1 (patch-ai) = f5a675f8fd1cc7e4e735dc8a9804f1dcf8d276bc
 SHA1 (patch-aj) = 6332edd3e464d0f68bfa10dc6724346d0bc05f1f
 SHA1 (patch-fix_options.c) = ce49ff5b4b1e26eb7634e61fa33ad4697917fbcb
+SHA1 (patch-socket.c) = 717a600edae944779dba98ec72d9bbc7ccfa3644
Index: patches/patch-socket.c
===================================================================
RCS file: patches/patch-socket.c
diff -N patches/patch-socket.c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-socket.c      19 Dec 2023 04:28:44 -0000
@@ -0,0 +1,12 @@
+$NetBSD$
+
+--- socket.c.orig      2023-12-18 10:59:36.172842244 +0000
++++ socket.c
+@@ -29,6 +29,7 @@ static char sccsid[] = "@(#) socket.c 1.
+ #include <stdio.h>
+ #include <syslog.h>
+ #include <string.h>
++#include <arpa/inet.h>
+
+ extern char *inet_ntoa();
+


Home | Main Index | Thread Index | Old Index