alpine 3.6
buffer weakness #291

5

Weakness Breakdown


Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Easily used incorrectly.

File Name:

rsyslog/src/rsyslog-8.26.0/tools/omusrmsg.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 buffer weakness.

 			continue;
#ifndef OS_BSD
		if(ut.ut_type != USER_PROCESS)
			continue;
#endif
		if(!(strncmp (ut.UTNAME,"LOGIN", 6))) /* paranoia */
			continue;

		/* should we send the message to this user? */
		if(pData->bIsWall == 0) {
			for(i = 0; i < MAXUNAMES; i++) {
				if(!pData->uname[i][0]) {
					i = MAXUNAMES;
					break;
				}
				if(strncmp(pData->uname[i], ut.UTNAME, UNAMESZ) == 0)
					break;
			}
			if(i == MAXUNAMES) /* user not found? */
				continue; /* on to next user! */
		}

		/* compute the device name */
		strcpy(p, _PATH_DEV);
		strncat(p, ut.ut_line, UNAMESZ);

		/* we must be careful when writing to the terminal. A terminal may block
		 * (for example, a user has pressed <ctl>-s). In that case, we can not
		 * wait indefinitely. So we need to use non-blocking I/O. In case we would
		 * block, we simply do not send the message, because that's the best we can
		 * do. -- rgerhards, 2008-07-04
		 */

		/* open the terminal */
		if((ttyf = open(p, O_WRONLY|O_NOCTTY|O_NONBLOCK)) >= 0) {
			if(fstat(ttyf, &statb) == 0 && (statb.st_mode & S_IWRITE)) {
				wrRet = write(ttyf, pMsg, strlen((char*)pMsg));
				if(Debug && wrRet == -1) {
					/* we record the state to the debug log */
					errnoSave = errno;
					rs_strerror_r(errno, (char*)szErr, sizeof(szErr));
					dbgprintf("write to terminal '%s' failed with [%d]:%s\n",
						  p, errnoSave, szErr);
				}
			}
			close(ttyf);
		}
	}

	/* close the user login file */ 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.