fedora 23
buffer weakness #41

5

Weakness Breakdown


Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Easily used incorrectly.

File Name:

ctorrent-dnh3.3.2/tracker.cpp

Context:

The highlighted line of code below is the trigger point of this particular Fedora 23 buffer weakness.

 {
  char *event,*str_event[] = {"started","stopped","completed" };
  char REQ_BUFFER[2*MAXPATHLEN];
  struct sockaddr_in addr;

  if( m_f_stoped )
    event = str_event[1];	/* stopped */
  else if( !m_f_started ){
    if( BTCONTENT.IsFull() ) m_f_completed = 1;
    event = str_event[0];	/* started */
  }else if( BTCONTENT.IsFull() && !m_f_completed ){
    if( Self.TotalDL() > 0 ) event = str_event[2];  /* download complete */
    else event = (char*) 0;  /* interval */
    m_f_completed = 1;		/* only send download complete once */
  }else
    event = (char*) 0;  /* interval */

  char opt1[20] = "&event=";
  char opt2[12+PEER_ID_LEN] = "&trackerid=";

  if( BTCONTENT.IsFull() ) m_totaldl = Self.TotalDL();
  if(MAXPATHLEN < snprintf(REQ_BUFFER,MAXPATHLEN,REQ_URL_P2_FMT,
                     m_path,
                     event ? strncat(opt1,event,12) : "",
                     *m_trackerid ? strncat(opt2,m_trackerid,PEER_ID_LEN) : "",
                     (unsigned long long)(m_totalul = Self.TotalUL()),
                     (unsigned long long)m_totaldl,
                     (unsigned long long)(BTCONTENT.GetLeftBytes()),
                     (int)cfg_max_peers)){
    return -1;
  }

  // if we have a tracker hostname (not just an IP), send a Host: header
  if(_IPsin(m_host, m_port, &addr) < 0){
    char REQ_HOST[MAXHOSTNAMELEN];
    if(MAXHOSTNAMELEN < snprintf(REQ_HOST,MAXHOSTNAMELEN,"\r\nHost: %s",m_host))
      return -1;
    strcat(REQ_BUFFER, REQ_HOST);
  }

  strcat(REQ_BUFFER, "\r\nUser-Agent: ");
  strcat(REQ_BUFFER, cfg_user_agent);

  strcat(REQ_BUFFER,"\r\n\r\n");
  // hc
  //CONSOLE.Warning(0, "SendRequest: %s", REQ_BUFFER);

  if( 0 !=
      m_request_buffer.PutFlush(m_sock,REQ_BUFFER,strlen((char*)REQ_BUFFER)) ){
    CONSOLE.Warning(2, 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.