alpine 3.7
buffer weakness #37

5

Weakness Breakdown

Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):
CWE-120

Easily used incorrectly.

File Name:

cpio/src/cpio-2.12/src/tar.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.7 buffer weakness.

   if (length > TARPREFIXSIZE)
    length = TARPREFIXSIZE+2;
  for (i = length - 1; i > 0; i--)
    if (name[i] == '/')
      break;
  return i;
}

/* Stash the tar filename and optional prefix in static storage.  */

static char *
stash_tar_filename (char *prefix, char *filename)
{
  static char hold_tar_filename[TARNAMESIZE + TARPREFIXSIZE + 2];
  if (prefix == NULL || *prefix == '\0')
    {
      strncpy (hold_tar_filename, filename, TARNAMESIZE);
      hold_tar_filename[TARNAMESIZE] = '\0';
    }
  else
    {
      strncpy (hold_tar_filename, prefix, TARPREFIXSIZE);
      hold_tar_filename[TARPREFIXSIZE] = '\0';
      strcat (hold_tar_filename, "/");
      strncat (hold_tar_filename, filename, TARNAMESIZE);
      hold_tar_filename[TARPREFIXSIZE + TARNAMESIZE] = '\0';
    }
  return hold_tar_filename;
}

/* Convert a number into a string of octal digits.
   Convert long VALUE into a DIGITS-digit field at WHERE,
   including a trailing space and room for a NUL.  DIGITS==3 means
   1 digit, a space, and room for a NUL.

   We assume the trailing NUL is already there and don't fill it in.
   This fact is used by start_header and finish_header, so don't change it!

   This is be equivalent to:
   sprintf (where, "%*lo ", digits - 2, value);
   except that sprintf fills in the trailing NUL and we don't.  */

static void
to_oct (register long value, register int digits, register char *where)
{
  --digits;			/* Leave the trailing NUL slot alone.  */

  /* Produce the digits -- at least one.  */
  do
    {
polyverse small logo
Products
Polymorphing for Linux
Polymorphing for Embedded/IOT
Polyscripting
Polyscripting for WordPress
Build Farm for Gov.
Resources
Linux Weakness Report
Demos
Documentation
Resource Library
Webinars
Blogs
FAQ
Pricing
How to Buy
Partners
Free Trial
Contact Us
Company
About Us
Newsroom
Careers

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.

© 2020 Polyverse