A potential Buffer Overflow bug found in mutils.c

[x14ngch3n]

Hi, I'm currently trying to use the static analysis tool Infer to find uncatched API-misuse bugs in OpenWrt packages, and I find a potential Buffer Overflow in your project, version 1.19.

The bug located in mutils.c. Firstly, the program read the environment variable PATH to p in line 1234. That variable p is later been segmented by ':', and finally used as the parameter of sprintf(), as shown in the following code:

path=getenv("PATH");
if (path == NULL)
    return(-1);

p=path;
found=0;
while (*p != '\0' && found == 0)
{
    len=0;
    while (*p != ':' && *p != '\0')
    {
        len++;
        p++;
    }
    s=(char) *p;
    *p='\0';
    (void) sprintf(szbuf,"%s/%s",p-len,name);
    *p=s;
    if (*p)
        p++;

    if (access(szbuf,X_OK) == 0)
        found=1;
}

As the length of buffer szbuf is 8192 and the maximum length of env variable is 32768, it remains possible to cause a Buffer Overflow when p contains no ':' .I also attached the analysis trace given by Infer FYI:

"trace": [
  {
    "file": "libs/libmutils/mutils.c",
    "line": 1234,
    "col": 10,
    "feature": [ "Input", "getenv" ]
  },
  {
    "file": "libs/libmutils/mutils.c",
    "line": 1250,
    "col": 16,
    "feature": [
      "BufferOverflow",
      "sprintf",
      [ "BinOp", "-", [ "Var" ], [ "Var" ] ]
    ]
  }
],

[muquit]

This function is not used in mailsend but should be fixed neverthless.

[x14ngch3n]

Thank you for your reply