fedora 25
buffer weakness #35

5

Weakness Breakdown


Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Easily used incorrectly.

File Name:

cfitsio/iraffits.c

Context:

The highlighted line of code below is the trigger point of this particular Fedora 25 buffer weakness.

 /*  WDP - 10/16/2007 - increased allocation to avoid possible overflow */
/*    newpixname = (char *) calloc (SZ_IM2PIXFILE, sizeof (char)); */

    newpixname = (char *) calloc (2*SZ_IM2PIXFILE+1, sizeof (char));
    if (newpixname == NULL) {
            ffpmsg("iraffits same_path: Cannot alloc memory for newpixname");
	    return (NULL);
	}

    /* Pixel file is in same directory as header */
    if (strncmp(pixname, "HDR$ ", 4) == 0 ) {
	(void)strncpy (newpixname, hdrname, SZ_IM2PIXFILE);

	/* find the end of the pathname */
	len = strlen (newpixname);
#ifndef VMS
	while( (len > 0) && (newpixname[len-1] != '/') )
#else
	while( (len > 0) && (newpixname[len-1] != ']') && (newpixname[len-1] != ':') )
#endif
	    len--;

	/* add name */
	newpixname[len] = '\0';
	(void)strncat (newpixname, &pixname[4], SZ_IM2PIXFILE);
	}

    /* Bare pixel file with no path is assumed to be same as HDR$ filename */
    else if (strchr (pixname, '/') == NULL && strchr (pixname, '$ ') == NULL) {
	(void)strncpy (newpixname, hdrname, SZ_IM2PIXFILE);

	/* find the end of the pathname */
	len = strlen (newpixname);
#ifndef VMS
	while( (len > 0) && (newpixname[len-1] != '/') )
#else
	while( (len > 0) && (newpixname[len-1] != ']') && (newpixname[len-1] != ':') )
#endif
	    len--;

	/* add name */
	newpixname[len] = '\0';
	(void)strncat (newpixname, pixname, SZ_IM2PIXFILE);
	}

    /* Pixel file has same name as header file, but with .pix extension */
    else if (strncmp (pixname, "HDR", 3) == 0) {

	/* load entire header name string into name buffer */
	(void)strncpy (newpixname, hdrname, SZ_IM2PIXFILE); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.