alpine 3.6
buffer weakness #93

5

Weakness Breakdown


Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Easily used incorrectly.

File Name:

libcrystalhd/src/libcrystalhd-20130708/linux_lib/libcrystalhd/libcrystalhd_fwdiag_if.cpp

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 buffer weakness.

 	char fwfile[MAX_PATH+1];
	DTS_LIB_CONTEXT		*Ctx = NULL;
	uint32_t	RegVal =0;

	BC_FWDIAG_RES_BLOCK_ST blMsg;

		DebugLog_Trace(LDIL_DBG,"0. fwfile is %s\n",FwBinFile);
	/* Clear Host Message Area */
	status = DtsClearFWDiagCommBlock(hDevice);
	if(status != BC_STS_SUCCESS) {
		DebugLog_Trace(LDIL_DBG,"DtsDownloadFWDIAGToLINK: Failed to clear the message area\n");
		return status;
	}


	DTS_GET_CTX(hDevice,Ctx);

	/* Get the firmware file to download */
	status = DtsGetDILPath(hDevice, fwfile, sizeof(fwfile));
	if(status != BC_STS_SUCCESS){
		return status;
	}

	if(FwBinFile!=NULL){
		strncat(fwfile,(const char*)FwBinFile,sizeof(fwfile));
		DebugLog_Trace(LDIL_DBG,"1. fwfile is %s\n",FwBinFile);
	}else{
		strncat(fwfile,"/",sizeof(fwfile));
		strncat(fwfile,"bcmFWDiag.bin",sizeof(fwfile));
		DebugLog_Trace(LDIL_DBG,"2. fwfile is %s\n",fwfile);
	}

	//Read OTP_CMD registers to see if Keys are already programmed in OTP
	RegVal =0;
	status = DtsFPGARegisterRead(hDevice, OTP_CMD, &RegVal);
	if(status != BC_STS_SUCCESS)
	{
		DebugLog_Trace(LDIL_DBG,"Error Reading DCI_STATUS register\n");
		return status;
	}

	status = fwbinPushToLINK(hDevice, fwfile, &byesDnld);

	if(status != BC_STS_SUCCESS) {
		DebugLog_Trace(LDIL_DBG,"DtsDownloadAuthFwToLINK: Failed to download firmware\n");
		return status;
	}

	/* Check for firmware authentication result */
 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.