fedora 24
buffer weakness #21

5

Weakness Breakdown


Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Does not check for buffer overflows.

File Name:

CoinUtils-2.10.11/src/CoinMpsIO.cpp

Context:

The highlighted line of code below is the trigger point of this particular Fedora 24 buffer weakness.

 	  }
	}
      }
    }
    free ( columnType );
    if ( cardReader_->whichSection (  ) != COIN_ENDATA_SECTION &&
	 cardReader_->whichSection (  ) != COIN_QUAD_SECTION &&
	 cardReader_->whichSection (  ) != COIN_CONIC_SECTION ) {
      handler_->message(COIN_MPS_BADIMAGE,messages_)<<cardReader_->cardNumber()
						    <<cardReader_->card()
						    <<CoinMessageEol;
      handler_->message(COIN_MPS_RETURNING,messages_)<<CoinMessageEol;
      return numberErrors+100000;
    }
  } else {
    // This is very simple format - what should we use?
    COINColumnIndex i;
    
    /* old: 
       FILE * fp = cardReader_->filePointer();
       fscanf ( fp, "%d %d %d\n", &numberRows_, &numberColumns_, &i);
    */
    // new:
    char buffer[1000];
    cardReader_->fileInput ()->gets (buffer, 1000);
    sscanf (buffer, "%d %d %d\n", &numberRows_, &numberColumns_, &i);

    numberElements_  = i; // done this way in case numberElements_ long

    rowlower_ = reinterpret_cast<double *> (malloc ( numberRows_ * sizeof ( double )));
    rowupper_ = reinterpret_cast<double *> (malloc ( numberRows_ * sizeof ( double )));
    for ( i = 0; i < numberRows_; i++ ) {
      int j;

      // old: fscanf ( fp, "%d %lg %lg\n", &j, &rowlower_[i], &rowupper_[i] );
      // new:
      cardReader_->fileInput ()->gets (buffer, 1000);
      sscanf (buffer, "%d %lg %lg\n", &j, &rowlower_[i], &rowupper_[i] );

      assert ( i == j );
    }
    collower_ = reinterpret_cast<double *> (malloc ( numberColumns_ * sizeof ( double )));
    colupper_ = reinterpret_cast<double *> (malloc ( numberColumns_ * sizeof ( double )));
    objective_= reinterpret_cast<double *> (malloc ( numberColumns_ * sizeof ( double )));
    start = reinterpret_cast<CoinBigIndex *> (malloc ((numberColumns_ + 1) *
				       sizeof (CoinBigIndex)));
    row = reinterpret_cast<COINRowIndex *> (malloc (numberElements_ * sizeof (COINRowIndex)));
    element = reinterpret_cast<double *> (malloc (numberElements_ * sizeof (double)));

    start[0] = 0; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.