centos 7
buffer weakness #11

5

Weakness Breakdown


Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Easily used incorrectly.

File Name:

ipmitool-1.8.18/lib/ipmi_sunoem.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 7 buffer weakness.

 	}

	nacname_req.seq_num = 0;
	strcpy(nacname_req.nac_name, argv[0]);

	full_nac_name[0] = '\0';
	while (1) {
		memset(&req, 0, sizeof(req));
		req.msg.netfn = IPMI_NETFN_SUNOEM;
		req.msg.cmd = IPMI_SUNOEM_NACNAME;
		req.msg.data = (uint8_t *) &nacname_req;
		req.msg.data_len = sizeof(sunoem_nacname_t);
		rsp = intf->sendrecv(intf, &req);

		if (rsp == NULL) {
			lprintf(LOG_ERR, "Sun OEM nacname command failed.");
			return (-1);
		}
		if (rsp->ccode != 0) {
			lprintf(LOG_ERR, "Sun OEM nacname command failed: %d", rsp->ccode);
			return (-1);
		}

		nacname_rsp = (sunoem_nacname_t *) rsp->data;
		strncat(full_nac_name, nacname_rsp->nac_name, MAX_SUNOEM_NAC_SIZE);

		/*
		 * break out of the loop if there is no more data
		 * In most cases, if not all, the NAC name fits into a
		 * single payload
		 */
		if (nacname_req.seq_num == nacname_rsp->seq_num) {
			break;
		}

		/* Get the next seq of string bytes */
		nacname_req.seq_num = nacname_rsp->seq_num;

		/* Check if we exceeded the size of the full nac name */
		if ((nacname_req.seq_num * MAX_SUNOEM_NAC_SIZE) > LUAPI_MAX_OBJ_PATH_LEN) {
			lprintf(LOG_ERR,
					"Sun OEM nacname command failed: invalid path length");
			return (-1);
		}
	}

	printf("NAC Name: %s\n", full_nac_name);
	return (0);
}
 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.