alpine 3.6
buffer weakness #254

5

Weakness Breakdown


Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Easily used incorrectly.

File Name:

samba/src/samba-4.6.16/source4/torture/basic/utable.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 buffer weakness.

 
	torture_comment(tctx, "Generating valid character table\n");

	memset(valid, 0, sizeof(valid));

	torture_assert(tctx, torture_setup_dir(cli, "\\utable"),
				   "Setting up dir \\utable failed");

	for (c=1; c < 0x10000; c++) {
		char *p;

		SSVAL(c2, 0, c);
		strncpy(fname, "\\utable\\x", sizeof(fname)-1);
		p = fname+strlen(fname);
		len = 0;
		if (!convert_string(CH_UTF16, CH_UNIX,
				     c2, 2, 
				     p, sizeof(fname)-strlen(fname), &len)) {
			torture_comment(tctx, "convert_string failed [%s]\n",
				fname);
			continue;
		}

		p[len] = 0;
		strncat(fname,"_a_long_extension",sizeof(fname)-1);

		fnum = smbcli_open(cli->tree, fname, O_RDWR | O_CREAT | O_TRUNC, 
				DENY_NONE);
		if (fnum == -1) continue;

		chars_allowed++;

		smbcli_qpathinfo_alt_name(cli->tree, fname, &alt_name);

		if (strncmp(alt_name, "X_A_L", 5) != 0) {
			alt_allowed++;
			valid[c] = 1;
			torture_comment(tctx, "fname=[%s] alt_name=[%s]\n", fname, alt_name);
		}

		smbcli_close(cli->tree, fnum);
		smbcli_unlink(cli->tree, fname);

		if (c % 100 == 0) {
			if (torture_setting_bool(tctx, "progress", true)) {
				torture_comment(tctx, "%d (%d/%d)\r", c, chars_allowed, alt_allowed);
				fflush(stdout);
			}
		}
	} 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.