alpine 3.6
buffer weakness #207

5

Weakness Breakdown


Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Easily used incorrectly.

File Name:

mplayer/src/MPlayer-1.3.0/stream/freesdp/parser.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 buffer weakness.

                 }	/* else
                           ; TODO: define error code? */
                if (opts >= 3)
                {
                  if (!strncmp (fsdp_buf[1], "IP4", 3))
                    media->a_rtcp_address_type =
                      FSDP_ADDRESS_TYPE_IPV4;
                  else if (!strncmp (fsdp_buf[1], "IP6", 3))
                    media->a_rtcp_address_type =
                      FSDP_ADDRESS_TYPE_IPV6;
                  else
                    return FSDPE_INVALID_CONNECTION_NETTYPE;
                  /*add specific code? */
                  if (opts >= 4)
                    media->a_rtcp_address =
                      strdup (fsdp_buf[2]);
                }
              }
            }
          }
          else
          {
            /* ignore unknown attributes, but provide access to them */
            *fsdp_buf[1] = '\0';
            strncat (fsdp_buf[1], fsdp_buf[0], MAXSHORTFIELDLEN-1);
            strncat (fsdp_buf[1], ":", MAXSHORTFIELDLEN-strlen(fsdp_buf[1])-1);
            strncat (fsdp_buf[1], longfsdp_buf, MAXSHORTFIELDLEN-strlen(fsdp_buf[1])-1);
            if (NULL == media->unidentified_attributes)
            {
              media->unidentified_attributes_count = 0;
              media->unidentified_attributes =
                calloc (UNIDENTIFIED_ATTRIBUTES_MAX_COUNT,
                        sizeof (char *));
            }
            if (media->unidentified_attributes_count <
                UNIDENTIFIED_ATTRIBUTES_MAX_COUNT)
            {
              media->unidentified_attributes
                [media->unidentified_attributes_count] =
                strdup (fsdp_buf[1]);
              media->unidentified_attributes_count++;
            }
          }
          NEXT_LINE (p);
        }
        else if (sscanf (p, "a=%8s", fsdp_buf[0]) == 1)
        {
          /* media-level property attributes */
          if (!strncmp (fsdp_buf[0], "recvonly", 8))
            media->a_sendrecv_mode = FSDP_SENDRECV_RECVONLY; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.