Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Buffer Overflow in ip_src (addr.c) #7

Open
e00E opened this issue Jan 11, 2016 · 1 comment
Open

Buffer Overflow in ip_src (addr.c) #7

e00E opened this issue Jan 11, 2016 · 1 comment

Comments

@e00E
Copy link

e00E commented Jan 11, 2016

In addr.c in void DumpInterface(const char *Name) there is declared line 156 char path[sizeof(IPSTACK_ROOT)+1+FILENAME_MAX+1] = IPSTACK_ROOT"/";.
This makes path a fixed size char array.
In the next line strcat(path, Name); strcat is used to append the function parameter Name to path. DumpInterface is only used at line 65 DumpInterface(argv[1]); in addr_main which finally gets called in Main.c with DumpInterface(argv[1]);.
Putting this together argv[2] is passed as Name to DumpInterface and can be any string. In particular a string longer than IPSTACK_ROOT)+1+FILENAME_MAX+1 making it overflow path with user controlled data.

An example would be simply executing ip addr AAAAAAAAAAA (...).
@e00E e00E mentioned this issue Jan 11, 2016
Open
@thepowersgang
Copy link
Owner

NIce spot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thepowersgang @e00E