search

vusec / trrespass

TRRespass
Apache License 2.0
119 stars 25 forks source link

Possible buffer overflow at hPatt_2_str #3

Open kobi3028 opened 3 years ago

kobi3028 commented 3 years ago

The function hPatt_2_str 

char *hPatt_2_str(HammerPattern * h_patt, int fields){  
    static char patt_str[256];  
    char *dAddr_str;
    memset(patt_str, 0x00, 256);
    for (int i = 0; i < h_patt->len; i++) {       
          dAddr_str = dAddr_2_str(h_patt->d_lst[i], fields);     
          strcat(patt_str, dAddr_str);      
          if (i + 1 != h_patt->len) {            
               strcat(patt_str, "/");       
          }
    }   
    return patt_str;
}

The function does strcat with patt_str as the destination without checking the buffer limit, that can cause to overflow of the p global pointer that will cause a segmentation fault

tajiaodavid commented 3 years ago

How can I solve this problem?

kobi3028 commented 3 years ago

checking the buffer limit before calling to strcat, will solve the problem, you can use dynamic allocation in case 256 bytes is not large enough

bygo7 commented 2 years ago

Oh same as mine, changing the allocation size from 256 to 1024 has solved the problem in my case.