In addr.c in void DumpInterface(const char *Name) there is declared line 156 char path[sizeof(IPSTACK_ROOT)+1+FILENAME_MAX+1] = IPSTACK_ROOT"/";.
This makes path a fixed size char array.
In the next line strcat(path, Name); strcat is used to append the function parameter Name to path. DumpInterface is only used at line 65 DumpInterface(argv[1]); in addr_main which finally gets called in Main.c with DumpInterface(argv[1]);.
Putting this together argv[2] is passed as Name to DumpInterface and can be any string. In particular a string longer than IPSTACK_ROOT)+1+FILENAME_MAX+1 making it overflow path with user controlled data.
An example would be simply executing ip addr AAAAAAAAAAA (...).
thepowersgang
commented
8 years ago
In
addr.cinvoid DumpInterface(const char *Name)there is declared line 156char path[sizeof(IPSTACK_ROOT)+1+FILENAME_MAX+1] = IPSTACK_ROOT"/";. This makes path a fixed size char array. In the next linestrcat(path, Name);strcat is used to append the function parameter Name to path. DumpInterface is only used at line 65DumpInterface(argv[1]);inaddr_mainwhich finally gets called inMain.cwithDumpInterface(argv[1]);. Putting this together argv[2] is passed as Name to DumpInterface and can be any string. In particular a string longer thanIPSTACK_ROOT)+1+FILENAME_MAX+1making it overflow path with user controlled data.An example would be simply executing
ip addr AAAAAAAAAAA(...).