alpine 3.6
buffer weakness #245

5

Weakness Breakdown


Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Easily used incorrectly.

File Name:

sleuthkit/src/sleuthkit-4.3.0/tools/autotools/tsk_comparedir.cpp

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 buffer weakness.

 }

/**
 * Process a local directory and compare its contents with the image.
 * This will recursively call itself on subdirectories. 
 * @param a_dir Subdirectory of m_lclDir to process. 
 * @returns 1 on error
 */
uint8_t
    TskCompareDir::processLclDir(const TSK_TCHAR * a_dir)
{
    std::set < char *, ltstr >::iterator it;

#ifdef TSK_WIN32
    WIN32_FIND_DATA ffd;
    HANDLE hFind = INVALID_HANDLE_VALUE;
    wchar_t fullpath[TSK_CD_BUFSIZE];
    UTF16 *utf16;
    UTF8 *utf8;
    char file8[TSK_CD_BUFSIZE];

    //create the full path (utf16)
    wcsncpy(fullpath, (wchar_t *) m_lclDir, TSK_CD_BUFSIZE);
    if (wcslen((wchar_t *) a_dir) > 0)
        wcsncat(fullpath, a_dir, TSK_CD_BUFSIZE);

    wcsncat(fullpath, L"\\*", TSK_CD_BUFSIZE);


    //start the directory walk
    hFind = FindFirstFile((LPCWSTR) fullpath, &ffd);
    DWORD err = GetLastError();
    if (hFind == INVALID_HANDLE_VALUE) {
        fprintf(stderr, "Error opening directory: %S\n", fullpath);

        wchar_t message[64];
        FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM |
            FORMAT_MESSAGE_IGNORE_INSERTS, NULL, err, 0,
            (LPWSTR) & message, 64, NULL);
        fprintf(stderr, "error: %S", message);
        return 1;
    }

    do {
        wchar_t file[TSK_CD_BUFSIZE];
        wcsncpy(file, a_dir, TSK_CD_BUFSIZE);
        wcsncat(file, L"\\", TSK_CD_BUFSIZE);
        wcsncat(file, ffd.cFileName, TSK_CD_BUFSIZE);
        //if the file is a directory make recursive call
        if (ffd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) { 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.