fedora 23
buffer weakness #47

5

Weakness Breakdown


Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Easily used incorrectly.

File Name:

garden-1.0.9/src/main.c

Context:

The highlighted line of code below is the trigger point of this particular Fedora 23 buffer weakness.

 
	Thanks to Thomas Harte for this code! I had no idea it was necessary (it isn't on my Windows XP computer, and
	I haven't tested it).

	*/
	char filename_buffer [DATADIR_SIZE];
	strncpy(filename_buffer, data_directory, sizeof(filename_buffer));
	strncat(filename_buffer, "init.txt", sizeof(filename_buffer));
	if (access(filename_buffer, W_OK) == 0)
	{/*We can write the init file*/
		set_config_file(filename_buffer);
	}
	else
	{/*We can not write the init where it is*/
		char right_path[512];
		const char * unix_path = getenv("HOME");
		const char * vista_path = getenv("APPDATA");
		strncpy(right_path, (unix_path != NULL ? unix_path : vista_path), sizeof(right_path) );
		strncat(right_path, "/.garden", sizeof(right_path) );
		if (access(right_path, R_OK) != 0 ) /* we have to mkdir */
		{
			/* platform-specific function, see system.h*/
			MKDIR(right_path);
		}
		strncat(right_path, "/init.txt", sizeof(right_path) );
		if (access(right_path, R_OK) != 0 )
		{
			char buffer[128];
			int bytes_read;
			FILE * unwritable_file = fopen(filename_buffer, "r");
			FILE * init_file = fopen(right_path, "w");
			while (bytes_read = fread(buffer, 1, sizeof(buffer), unwritable_file) )
				fwrite ( buffer, 1, bytes_read, init_file );
			fclose(init_file);
			fclose(unwritable_file);
		}
		set_config_file(right_path);
	}
	/*#ifdef UNIX_OSX_VISTA_ETC

	   {

	     char *HPath = getenv("HOME");

	// use this if for some reason you're running Windows Vista:
	//        char *HPath = getenv("APPDATA");

		 char ConfigPath[2048];

		 sprintf(ConfigPath, "%s/.GardenOfColouredLights", HPath); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.