fedora 23
buffer weakness #7

5

Weakness Breakdown


Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Easily used incorrectly.

File Name:

apcupsd-3.14.13/src/win32/email.c

Context:

The highlighted line of code below is the trigger point of this particular Fedora 23 buffer weakness.

    MapiMessage emsg = {0, 
      default_msg,                     /* default subject */
      default_text,                    /* default message text */
      NULL, NULL, NULL, 0, NULL,
      1, &recip, 0, NULL};

   char default_name[] = "root";
   char default_addr[] = "SMTP:root";
   recip.ulReserved = 0;
   recip.ulRecipClass = MAPI_TO;
   recip.lpszName = default_name;      /* default name */
   recip.lpszAddress = default_addr;   /* default address */
   recip.ulEIDSize = 0;
   recip.lpEntryID = NULL;

   for (i=1; i<argc; i++) {
      if (strcmp(argv[i], "-s") == 0) {        /* Subject */
         if (++i < argc)
            emsg.lpszSubject = argv[i];
      } else if (strcmp(argv[i], "-m") == 0) { /* Message text */
         if (++i < argc)
            emsg.lpszNoteText = argv[i];
      } else {				       /* address */
         strncpy(addr, "SMTP:", sizeof(addr));
         strncat(addr, argv[i], sizeof(addr));
         recip.lpszAddress = addr;
         recip.lpszName = argv[i];
      }
   }

   err = MAPISendMail(0L, 0L, &emsg, 0L, 0L);

   if (err != SUCCESS_SUCCESS) {
      char buf[100];
      snprintf(buf, sizeof(buf), "MAPI error code = %d", (int)err);

// Note, if we put up a dialogue box, this may stall the
// calling script, not a good thing.
//    MessageBox(NULL, buf, "Error", MB_OK);
      printf(buf);
      exit(1);
   }
   exit(0);
} 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.