mailsend
mailsend copied to clipboard
Published
20 hours ago •
muquit
muquit
A potential Buffer Overflow bug found in mutils.c
Hi, I'm currently trying to use the static analysis tool Infer to find uncatched API-misuse bugs in OpenWrt packages, and I find a potential Buffer Overflow in your project, version 1.19.
The bug located in mutils.c. Firstly, the program read the environment variable PATH to p in line 1234. That variable p is later been segmented by ':', and finally used as the parameter of sprintf(), as shown in the following code:
path=getenv("PATH");
if (path == NULL)
return(-1);
p=path;
found=0;
while (*p != '\0' && found == 0)
{
len=0;
while (*p != ':' && *p != '\0')
{
len++;
p++;
}
s=(char) *p;
*p='\0';
(void) sprintf(szbuf,"%s/%s",p-len,name);
*p=s;
if (*p)
p++;
if (access(szbuf,X_OK) == 0)
found=1;
}
As the length of buffer szbuf is 8192 and the maximum length of env variable is 32768, it remains possible to cause a Buffer Overflow when p contains no ':' .I also attached the analysis trace given by Infer FYI:
"trace": [
{
"file": "libs/libmutils/mutils.c",
"line": 1234,
"col": 10,
"feature": [ "Input", "getenv" ]
},
{
"file": "libs/libmutils/mutils.c",
"line": 1250,
"col": 16,
"feature": [
"BufferOverflow",
"sprintf",
[ "BinOp", "-", [ "Var" ], [ "Var" ] ]
]
}
],
