mtr (buffer overflow)

HenryPootel · December 5, 2022, 10:25am

Hello,

I’ve got a message:


mtr playboy.com -r -c 2 
Start: 2022-12-05T11:24:32+0200 
*** buffer overflow detected ***: terminated 
Aborted (core dumped)

marel · December 5, 2022, 10:51pm

I do not know mtr but I installed it and see it is a nice utility combining ping and traceroute.
I see I have to run mtr with superuser privileges, likely because it needs special network access.

I can reproduce the problem but only with -r/–report

Following the instructions on Using systemd-coredump to debug application crashes I could run gdb for the core dump:

Core was generated by `mtr knmi.nl -r -c 2'. 
Program terminated with signal SIGABRT, Aborted. 
#0  __pthread_kill_implementation (threadid=&lt;optimized out&gt;, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 
Downloading 0.00 MB source file /usr/src/debug/glibc-2.36/nptl/pthread_kill.c
44            **return****INTERNAL_SYSCALL_ERROR_P**(ret)?**INTERNAL_SYSCALL_ERRNO**(ret):0;
(gdb) where 
#0  __pthread_kill_implementation (threadid=&lt;optimized out&gt;, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 
#1  0x00007fbffcd0f873 in __pthread_kill_internal (signo=6, threadid=&lt;optimized out&gt;) at pthread_kill.c:78 
#2  0x00007fbffccbc816 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 
#3  0x00007fbffcca581c in __GI_abort () at abort.c:79 
#4  0x00007fbffcd0298e in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7fbffce2b206 "*** %s ***: terminated
") at ../sysdeps/posix/libc_fatal.c:155 
#5  0x00007fbffcda41ea in __GI___fortify_fail (msg=msg@entry=0x7fbffce2b1ac "buffer overflow detected") at fortify_fail.c:26 
#6  0x00007fbffcda27d6 in __GI___chk_fail () at chk_fail.c:28 
#7  0x00007fbffcda2395 in ___snprintf_chk (s=s@entry=0x7ffc78849f91 "      ", maxlen=maxlen@entry=1024, flag=flag@entry=2, slen=slen@entry=991,  
    format=format@entry=0x7ffc78849e20 "%6s") at snprintf_chk.c:29 
#8  0x000056029529824e in snprintf (__fmt=0x7ffc78849e20 "%6s", __n=1024, __s=0x7ffc78849f91 "      ") at /usr/include/bits/stdio2.h:54 
#9  report_close (ctl=ctl@entry=0x7ffc7884ae40) at ui/report.c:143 
#10 0x0000560295299181 in display_close (ctl=ctl@entry=0x7ffc7884ae40) at ui/display.c:127 
#11 0x0000560295293103 in main (argc=&lt;optimized out&gt;, argv=&lt;optimized out&gt;) at ui/mtr.c:828

I am not experienced debugger but what I see is strange, the format string is “%6s”, the maxlen=1024 and it seems to me the string to be printed is 6 spaces. I do not see what is wrong with that.

HenryPootel · April 7, 2023, 12:51pm

A long time ago mtr (by Tumbleweed) stopped working in -r/report mode.

mtr -c 1 -r 8.8.8.8

Start: 2023-04-07T14:48:42+0200
* buffer overflow detected *: terminated
Aborted (core dumped)

I’ve compiled the same version (0.95) from GitHub - traviscross/mtr: Official repository for mtr, a network diagnostic tool and got a good result.

mtr (buffer overflow)

mtr -c 1 -r 8.8.8.8

Start: 2023-04-07T14:48:42+0200 *** buffer overflow detected ***: terminated Aborted (core dumped)

Start: 2023-04-07T14:48:42+0200
* buffer overflow detected *: terminated
Aborted (core dumped)