seafile Buffer overflow in directory name handling code

Buffer overflow in directory name handling code

Open mtausig opened this issue 2 years ago • 0 comments

In the server's source file utils.c, the path of a user's home directory is copied into a buffer twice if on Windows:

    char new_path[SEAF_PATH_MAX + 1];
    char *p = new_path;
    const char *q = src;

    memset(new_path, 0, sizeof(new_path));
    if (*src == '~') {
        const char *home = g_get_home_dir();
        memcpy(new_path, home, strlen(home));
        p += strlen(new_path);
        q++;
    }
    memcpy(p, q, strlen(q));

The size of the new_path buffer is defined earlier to be 4096 byte, but the lengeh of home can be much longer (depending on the filesystem) (e.g. for NTFS, the limit is ~ 32kB).

In the same source file, if on Linux, two more memcpy calls are performed without validating the length of the input buffer:

https://github.com/haiwen/seafile-server/blob/96b33251cefb6cf4e2ef00868c604d6fa39dc218/lib/utils.c#L936
https://github.com/haiwen/seafile-server/blob/96b33251cefb6cf4e2ef00868c604d6fa39dc218/lib/utils.c#L944

Size checks need to be added.

Mar 21 '22 10:03 mtausig

seafile seafile copied to clipboard

Buffer overflow in directory name handling code

seafile
seafile copied to clipboard