search

5ghub / 5G-NB-IoT

14 stars 7 forks source link

Unsafe against buffer overflows #4

Open maxgerhardt opened 2 years ago

maxgerhardt commented 2 years ago 
bool _5G_NB_IoT_SSL::SetSSLCertificate(unsigned int ssl_index, char *ca_cert_path, char *client_cert_path, char *client_key_path, bool validity_check)
{
    char cmd[64],buf[64];
    strcpy(cmd, SSL_CONFIG_PARAMETER);
    if(ca_cert_path == "" && client_cert_path == "" && client_key_path == ""){
        sprintf(buf, "=\"seclevel\",%d,0", ssl_index);
        strcat(cmd, buf);
        if(sendAndSearch(cmd, RESPONSE_OK, RESPONSE_ERROR, 5)){
            return true;
        }
    }else if(ca_cert_path != "" && client_cert_path == "" && client_key_path == ""){
        sprintf(buf, "=\"seclevel\",%d,1", ssl_index);
        strcat(cmd, buf);
        if(!sendAndSearch(cmd, RESPONSE_OK, RESPONSE_ERROR, 5)){
            return false;
        }
        memset(cmd, '\0', 64);
        memset(buf, '\0', 32);
        strcpy(cmd, SSL_CONFIG_PARAMETER);
        sprintf(buf, "=\"cacert\",%d,\"%s\"", ssl_index, ca_cert_path);
        strcat(cmd, buf);
...

Library uses sprintf all over the place which does no max length checking. Supplying a ca_cert_path beyond 64 characters buffer-overflows the buf variable and subsequently cmd.

There are 104 usages of sprintf in the library, many of which might be similiarly vulnerable.