Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Buffer overflow possibility on command processing from strcpy use and in DS_FileCreateDest w/ bad size to strncpy #46

Closed
2 tasks done
skliper opened this issue Aug 17, 2022 · 0 comments · Fixed by #47
Closed
2 tasks done

Buffer overflow possibility on command processing from strcpy use and in DS_FileCreateDest w/ bad size to strncpy #46

skliper opened this issue Aug 17, 2022 · 0 comments · Fixed by #47
Assignees
@skliper
Labels
bug draco-rc3
Milestone
Draco

Comments

@skliper
Copy link
Contributor

skliper commented Aug 17, 2022

Checklist (Please check before submitting)

  • I reviewed the Contributing Guide.
  • I performed a cursory search to see if the bug report is relevant, not redundant, nor in conflict with other tickets.

Describe the bug
Pathname from cmd used in strcpy, could overflow table Pathname if not terminated:

DS/fsw/src/ds_cmds.c

Line 766 in 9d0651c

strcpy(pDest->Pathname, DS_DestPathCmd->Pathname);

If DestFile->Pathname isn't null terminated garbage could be added to the Workname which gets copied back to the file name:

DS/fsw/src/ds_file.c

Line 588 in 9d0651c

strncpy(Workname, DestFile->Pathname, WorknameLen - 1);

To Reproduce
This was actually happening in the test, although the test overflowed the buffer to get this condition:

DS/unit-test/ds_file_tests.c

Lines 1038 to 1042 in 9d0651c

/* Set to fail the condition "if (TotalLength != (WorknameLen - 1))" */
for (i = 0; i < WorknameLen - 1; i++)
{
DS_AppData.DestFileTblPtr->File[FileIndex].Pathname[i] = 'a';
}

Expected behavior
Only copy up to the size of the Pathname.

Code snips
See above

System observed on:
CI

Additional context
None

Reporter Info
Jacob Hageman - NASA/GSFC
@skliper skliper added the bug label Aug 17, 2022
@skliper skliper added this to the Draco milestone Aug 17, 2022
@skliper skliper self-assigned this Aug 17, 2022
skliper added a commit to skliper/DS that referenced this issue Aug 17, 2022
@skliper
Fix nasa#46, Resolve possible string buffer overflows
598379a
@skliper skliper mentioned this issue Aug 17, 2022
Merged
2 tasks
dzbaker added a commit that referenced this issue Aug 25, 2022
@dzbaker
Merge pull request #47 from skliper/fix46-strcpy_overflows
96e2021 
Fix #46 #48 #49 #50, Resolve multiple static analysis issues (includes bug fixes) and remove unnecessary UT handlers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skliper skliper

Labels
bug draco-rc3
Projects
None yet
Milestone
Draco
2 participants
@skliper @dmknutsen