search

Electrux / ls_extended

ls with coloring and icons
BSD 3-Clause "New" or "Revised" License
201 stars 14 forks source link

Fixed Buffer Overflow in src/ls.c #20

Closed maxbeckmann closed 6 years ago

maxbeckmann commented 6 years ago

The function ls in src/ls.c is vulnerable to a buffer overflow due to insufficient bound checks of the loc argument. It is copied to the fixed-size buffer final_loc, holding 1024 bytes at max. Any input exceeding this bounds therefore leads to a corruption of neighboring memory regions.

Steps to reproduce (requires gdb and python3): (in project's root directory) $ ./build.sh $ gdb --args ./bin/ls_extended $(python3 -c 'print("a" * 2000)') (gdb) run

The stack protection introduced by gcc will then detect a stack smash attack.

Electrux commented 6 years ago

i hadn't thought of that. Thanks a lot! :)