alpine 3.7
buffer weakness #15

5

Weakness Breakdown


Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Easily used incorrectly.

File Name:

cfengine/src/cfengine-3.11.0/cf-agent/verify_files_utils.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.7 buffer weakness.

 {
    char linkbuf[CF_BUFSIZE];
    const char *lastnode;
    struct stat dsb;
    PromiseResult result = PROMISE_RESULT_NOOP;

    linkbuf[0] = '\0';

    if ((S_ISLNK(sb->st_mode)) && (cf_readlink(ctx, sourcefile, linkbuf, CF_BUFSIZE, attr, pp, conn, &result) == -1))
    {
        cfPS(ctx, LOG_LEVEL_ERR, PROMISE_RESULT_FAIL, pp, attr, "Can't readlink '%s'", sourcefile);
        return PROMISE_RESULT_FAIL;
    }
    else if (S_ISLNK(sb->st_mode))
    {
        Log(LOG_LEVEL_VERBOSE, "Checking link from '%s' to '%s'", destfile, linkbuf);

        if ((attr.copy.link_type == FILE_LINK_TYPE_ABSOLUTE) && (!IsAbsoluteFileName(linkbuf)))        /* Not absolute path - must fix */
        {
            char vbuff[CF_BUFSIZE];

            strlcpy(vbuff, sourcefile, CF_BUFSIZE);
            ChopLastNode(vbuff);
            AddSlash(vbuff);
            strncat(vbuff, linkbuf, CF_BUFSIZE - 1);
            strlcpy(linkbuf, vbuff, CF_BUFSIZE);
        }
    }
    else
    {
        strlcpy(linkbuf, sourcefile, CF_BUFSIZE);
    }

    lastnode = ReadLastNode(sourcefile);

    if (MatchRlistItem(ctx, attr.copy.copy_links, lastnode))
    {
        struct stat ssb;

        ExpandLinks(linkbuf, sourcefile, 0);
        Log(LOG_LEVEL_VERBOSE, "Link item in copy '%s' marked for copying from '%s' instead", sourcefile,
              linkbuf);
        stat(linkbuf, &ssb);
        return CfCopyFile(ctx, linkbuf, destfile, ssb, attr, pp, inode_cache, conn);
    }

    int status;
    switch (attr.copy.link_type)
    {
    case FILE_LINK_TYPE_SYMLINK: 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.