:: Re: [DNG] Systemd Shims
Góra strony
Delete this message
Reply to this message
Autor: Rainer Weikusat
Data:  
Dla: dng
Temat: Re: [DNG] Systemd Shims
Laurent Bercot <ska-devel@???> writes:

[...]

>>     int saveFile(char* essid, char* pw) //argv[2], argv[3]
>>     {
>>         char ifilename[1024];
>>         strcpy(ifilename, path_to_interfaces_files);

>>         
>>         strcat(ifilename, "/");
>>         strcat(ifilename, essid);

>
> Boom. You're dead.


[...]

> ifilename is 1024 bytes long. You are assuming that essid, and
> whatever comes afterwards, will fit into 1024 bytes. This is true
> for normal inputs, which is certainly what you tested your program
> against, but the input is given as a command line argument to your
> program: you do not control the input. *The user* controls the input.
> And a malicious user could very well give an essid argument that is
> longer than 1024 bytes.


That's presumably not much of a problem because a single user attacking
his own system is probably not much of a problem: Break whatever you
like. It's yours.

A more interesting issue is that 'essid' is likely something harvested
from AP broadcasting one. According to a quick check, a valid ESSID can
be at most 32 octets and it can't be more than 256 octets even if
someone configures something he controls to send invalid ESSIDs and the
software processing these doesn't check since there's a 1 byte length
field. This means the code above, when used as intended, it likely
'accidentally safe' but relying on 'lucky accidents' like this is
nevertheless an extremely bad idea.