1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
From: Zephkeks <zephyrofficialdiscord@gmail.com>
Date: Sat, 17 May 2025 22:11:37 +0200
Subject: proc.c: Stack-based Buffer Overflow in net-tools (proc_gen_fmt)
Origin: https://github.com/ecki/net-tools/commit/84041080a5d4794045b098ced90e0309bcbcff44
Coordinated as GHSA-w7jq-cmw2-cq59.
---
lib/proc.c | 37 ++++++++++++++++++++++++++++++++++---
1 file changed, 34 insertions(+), 3 deletions(-)
--- a/lib/proc.c
+++ b/lib/proc.c
@@ -17,6 +17,8 @@ char *proc_gen_fmt(const char *name, int
char buf[512], format[512] = "";
char *title, *head, *hdr;
va_list ap;
+ size_t format_len = 0;
+ size_t format_size = sizeof(format);
if (!fgets(buf, (sizeof buf) - 1, fh))
return NULL;
@@ -33,14 +35,43 @@ char *proc_gen_fmt(const char *name, int
*hdr++ = 0;
if (!strcmp(title, head)) {
- strcat(format, va_arg(ap, char *));
+ const char *arg = va_arg(ap, char *);
+ size_t arg_len = strlen(arg);
+
+ /* Check if we have enough space for format specifier + space */
+ if (format_len + arg_len + 1 >= format_size) {
+ fprintf(stderr, "warning: format buffer overflow in %s\n", name);
+ va_end(ap);
+ return NULL;
+ }
+
+ strcpy(format + format_len, arg);
+ format_len += arg_len;
+
title = va_arg(ap, char *);
if (!title || !head)
break;
} else {
- strcat(format, "%*s"); /* XXX */
+ /* Check if we have enough space for "%*s" */
+ if (format_len + 3 >= format_size) {
+ fprintf(stderr, "warning: format buffer overflow in %s\n", name);
+ va_end(ap);
+ return NULL;
+ }
+
+ strcpy(format + format_len, "%*s");
+ format_len += 3;
}
- strcat(format, " ");
+
+ /* Check if we have space for the trailing space */
+ if (format_len + 1 >= format_size) {
+ fprintf(stderr, "warning: format buffer overflow in %s\n", name);
+ va_end(ap);
+ return NULL;
+ }
+
+ format[format_len++] = ' ';
+ format[format_len] = '\0';
}
va_end(ap);
|
