segfault in acme-client when verbose > 1

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

segfault in acme-client when verbose > 1

Aaron Muir Hamilton
When I run acme-client with -vv (or more) on my configuration,
it segfaults.

This is caused by a buffer overrun in (netproc.c) buf_dump when called
from (netproc.c) dogetcert; and the issue only seems to affect my
configuration when I add one of the alternative names to the domain I am
getting a cert for.

I haven't put enough thought into it yet to tell whether it is a problem
just with buf_dump itself, or also with how it is being invoked here.

On the one hand, buf_dump probably shouldn't assume that a space in this
response buffer is followed by memory in the bounds, but it's also funny
that the buffer just ends there.

In any event, here is gdb on the core from
acme-client built out of -current anoncvs:

un-site-web# gdb acme-client acme-client.core
...
Core was generated by `acme-client'.
Program terminated with signal 11, Segmentation fault.
...
#0  buf_dump (buf=0x7f7ffffc3f18) at
/usr/src/usr.sbin/acme-client/netproc.c:78
78                              while (isspace((int)buf->buf[i]))
(gdb) bt
#0  buf_dump (buf=0x7f7ffffc3f18) at
/usr/src/usr.sbin/acme-client/netproc.c:78
#1  0x00000db97abf7182 in netproc (kfd=Variable "kfd" is not available.
) at /usr/src/usr.sbin/acme-client/netproc.c:608
#2  0x00000db97abf5fce in main (argc=Variable "argc" is not available.
) at /usr/src/usr.sbin/acme-client/main.c:216
(gdb)

Pardon me, I don't really have the time to write a considered patch for
this right now.

Cheers

   Aaron Muir Hamilton