alpine 3.6
buffer weakness #88

5

Weakness Breakdown


Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Easily used incorrectly.

File Name:

eudev/src/eudev-3.2.2/src/scsi_id/scsi_serial.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 buffer weakness.

          */
        if (buffer[3] > MODEL_LENGTH) {
                /*
                 * If the vendor id appears in the page assume the page is
                 * invalid.
                 */
                if (strneq((char *)&buffer[VENDOR_LENGTH], dev_scsi->vendor, VENDOR_LENGTH)) {
                        log_debug("%s: invalid page0 data", dev_scsi->kernel);
                        return 1;
                }
        }
        return 0;
}

/*
 * The caller checks that serial is long enough to include the vendor +
 * model.
 */
static int prepend_vendor_model(struct udev *udev,
                                struct scsi_id_device *dev_scsi, char *serial)
{
        int ind;

        strncpy(serial, dev_scsi->vendor, VENDOR_LENGTH);
        strncat(serial, dev_scsi->model, MODEL_LENGTH);
        ind = strlen(serial);

        /*
         * This is not a complete check, since we are using strncat/cpy
         * above, ind will never be too large.
         */
        if (ind != (VENDOR_LENGTH + MODEL_LENGTH)) {
                log_debug("%s: expected length %d, got length %d",
                     dev_scsi->kernel, (VENDOR_LENGTH + MODEL_LENGTH), ind);
                return -1;
        }
        return ind;
}

/*
 * check_fill_0x83_id - check the page 0x83 id, if OK allocate and fill
 * serial number.
 */
static int check_fill_0x83_id(struct udev *udev,
                              struct scsi_id_device *dev_scsi,
                              unsigned char *page_83,
                              const struct scsi_id_search_values
                              *id_search, char *serial, char *serial_short,
                              int max_len, char *wwn,
                              char *wwn_vendor_extension, char *tgpt_group) 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.