centos 7
buffer weakness #29

5

Weakness Breakdown


Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Easily used incorrectly.

File Name:

sanlock-3.6.0/wdmd/main.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 7 buffer weakness.

 	line_len = strlen(line);
	strncat(debug_buf, line, LINE_SIZE);
	debug_len += line_len;

	for (i = 0; i < MAX_SCRIPTS; i++) {
		if (!scripts[i].name[0])
			continue;
		memset(line, 0, sizeof(line));
		snprintf(line, 255, "script %d name %.64s pid %d now %llu start %llu last_result %d run %u fail %u good %u kill %u long %u\n",
			 i, scripts[i].name, scripts[i].pid,
			 (unsigned long long)now,
			 (unsigned long long)scripts[i].start,
			 scripts[i].last_result,
			 scripts[i].run_count,
			 scripts[i].fail_count,
			 scripts[i].good_count,
			 scripts[i].kill_count,
			 scripts[i].long_count);

		line_len = strlen(line);

		if (debug_len + line_len >= DEBUG_SIZE - 1)
			goto out;

		strncat(debug_buf, line, LINE_SIZE);
		debug_len += line_len;
	}

	for (i = 0; i < client_size; i++) {
		if (!client[i].used)
			continue;
		memset(line, 0, sizeof(line));
		snprintf(line, 255, "client %d name %.64s pid %d fd %d dead %d ref %d now %llu renewal %llu expire %llu\n",
			 i, client[i].name, client[i].pid, client[i].fd, client[i].pid_dead, client[i].refcount,
			 (unsigned long long)now,
			 (unsigned long long)client[i].renewal,
			 (unsigned long long)client[i].expire);

		line_len = strlen(line);

		if (debug_len + line_len >= DEBUG_SIZE - 1)
			goto out;

		strncat(debug_buf, line, LINE_SIZE);
		debug_len += line_len;
	}
 out:
	send(fd, debug_buf, debug_len, MSG_NOSIGNAL);
}
 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.