Pageviews

Wednesday, 11 July 2018

strncat() without bounds - Samsung TizenRT

Hi Internet,

Product affected: Samsung TizenRT is a lightweight RTOS-based platform to support low-end IoT devices

Summary: File external/webserver/http_client.c, `strncat()` was being used without calculating the remaining length of the destination string buffer in this case it might allow attackers to trigger a bufferoverflow via a long query that is processed by the `strcat` function.

I feel the risk is high because the length parameter appears to be a constant, instead of computing the number of characters left, anyways a quick patch was pushed for same.
#include 
@@ -593,8 +593,8 @@ void http_handle_file(struct http_client_t *client, int method, const char *url,
         } else
             valid = 1;
         /* Need to create file with unique file name */
-        strncat(path, url, HTTP_CONF_MAX_REQUEST_HEADER_URL_LENGTH);
-        strncat(path, "index.shtml", HTTP_CONF_MAX_REQUEST_HEADER_URL_LENGTH);
+        strncat(path, url, HTTP_CONF_MAX_REQUEST_HEADER_URL_LENGTH - strlen(path));
+        strncat(path, "index.shtml", HTTP_CONF_MAX_REQUEST_HEADER_URL_LENGTH - strlen(path));
         if (valid && (f = fopen(path, "w"))) {
             if (fputs(entity, f) < 0) {
                 HTTP_LOGE("Error: Fail to execute fputs\n");
@@ -619,7 +619,7 @@ void http_handle_file(struct http_client_t *client, int method, const char *url,
             HTTP_LOGE("ERROR: URL length is too long. Cannot send response\n");
         } else
             valid = 1;
-        if (valid && (f = fopen(strncat(path, url, HTTP_CONF_MAX_REQUEST_HEADER_URL_LENGTH), "w"))) {
+        if (valid && (f = fopen(strncat(path, url, HTTP_CONF_MAX_REQUEST_HEADER_URL_LENGTH - strlen(path)), "w"))) {
             if (fputs(entity, f) < 0) {
                 HTTP_LOGE("Error: Fail to execute fputs\n");
                 fclose(f);
@@ -643,7 +643,7 @@ void http_handle_file(struct http_client_t *client, int method, const char *url,
             HTTP_LOGE("ERROR: URL length is too long. Cannot send response\n");
         } else
             valid = 1;
-        if (valid && unlink(strncat(path, url, HTTP_CONF_MAX_REQUEST_HEADER_URL_LENGTH))) {
+        if (valid && unlink(strncat(path, url, HTTP_CONF_MAX_REQUEST_HEADER_URL_LENGTH - strlen(path)))) {
             HTTP_LOGE("fail to delete %s\n", url);
             if (http_send_response(client, 500, HTTP_ERROR_500, NULL) == HTTP_ERROR) {
                 HTTP_LOGE("Error: Fail to send response\n");
Now this prevent `bufferoverflow` by calculating the remaining length of the destination string buffer. Hope you like the read.


Regards
Dhiraj

No comments:

Post a Comment