bzflag icon indicating copy to clipboard operation
bzflag copied to clipboard
verified publisher icon BZFlag-Dev

Potential buffer overflow in RecordCommand() function in bzfs module

Open vien2024 opened this issue 1 year ago • 1 comments

General

I spot a potential buffer overflow in the RecordCommand() function in commands.cxx file in bzfs module: https://github.com/BZFlag-Dev/bzflag/blob/2.4/src/bzfs/commands.cxx

Description

The filename array has fixed length, user-input buffer could overflow the filename array in sscanf() due to unchecked length.

            Record::sendHelp (t);
    }
    else if (strncasecmp (buf, "save", 4) == 0)
    {
        buf = buf + 4;
        char filename[MessageLen];

        while ((*buf != '\0') && isspace (*buf)) buf++; // eat whitespace
        if (*buf == '\0')
        {
            Record::sendHelp (t);
            return true;
        }

        // get the filename
        sscanf (buf, "%s", filename); // BUFFER OVERFLOW due to unchecked size (lines 3667)

Impact

This could lead to denial of service of the program.

vien2024 avatar Feb 28 '24 03:02 vien2024

If I'm reading the other code correctly, the length of buf should always be less than MessageLen since it's a substring of another string of text from a MessageLen sized buffer.

blast007 avatar Mar 16 '24 16:03 blast007