alpine 3.6
buffer weakness #9


Weakness Breakdown


Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Easily used incorrectly.

File Name:



The highlighted line of code below is the trigger point of this particular Alpine 3.6 buffer weakness.

     bool found = false;
    char kernel_modules[LINUX_KERNEL_MODULE_SIZE *

    more_printf("Kernel modules\n");

// more_printf(" PCI device no: %d \n", p->pci_device_pos);

    if ((hardware->modules_pcimap_return_code == -ENOMODULESPCIMAP)
	&& (hardware->modules_alias_return_code == -ENOMODULESALIAS)) {
	more_printf(" modules.pcimap and modules.alias files are missing\n");

    /* For every detected pci device, compute its submenu */
    for_each_pci_func(pci_device, hardware->pci_domain) {
	memset(kernel_modules, 0, sizeof kernel_modules);

	for (int kmod = 0;
	     kmod < pci_device->dev_info->linux_kernel_module_count; kmod++) {
	    if (kmod > 0) {
		strncat(kernel_modules, " | ", 3);

	if ((pci_device->dev_info->linux_kernel_module_count > 0)
	    && (!strstr(buffer, kernel_modules))) {
	    found = true;
	    if (pci_device->dev_info->linux_kernel_module_count > 1)
		strncat(buffer, "(", 1);
	    strncat(buffer, kernel_modules, sizeof(kernel_modules));
	    if (pci_device->dev_info->linux_kernel_module_count > 1)
		strncat(buffer, ")", 1);
	    strncat(buffer, " # ", 3);

    if (found == true) {
	strncat(buffer, "\n", 1);
	more_printf("%s", buffer);

static void show_kernel_modules(int argc __unused, char **argv __unused,
				struct s_hardware *hardware)

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.