Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Potential buffer overflow in RecordCommand() function in bzfs module #342

Open
vien2024 opened this issue Feb 28, 2024 · 1 comment
Open
Milestone

Comments

@vien2024
Copy link

General

I spot a potential buffer overflow in the RecordCommand() function in commands.cxx file in bzfs module:
https://github.com/BZFlag-Dev/bzflag/blob/2.4/src/bzfs/commands.cxx

Description

The filename array has fixed length, user-input buffer could overflow the filename array in sscanf() due to unchecked length.

            Record::sendHelp (t);
    }
    else if (strncasecmp (buf, "save", 4) == 0)
    {
        buf = buf + 4;
        char filename[MessageLen];

        while ((*buf != '\0') && isspace (*buf)) buf++; // eat whitespace
        if (*buf == '\0')
        {
            Record::sendHelp (t);
            return true;
        }

        // get the filename
        sscanf (buf, "%s", filename); // BUFFER OVERFLOW due to unchecked size (lines 3667)

Impact

This could lead to denial of service of the program.

@blast007 blast007 added this to the 2.4.28 milestone Mar 16, 2024
@blast007
Copy link
Member

If I'm reading the other code correctly, the length of buf should always be less than MessageLen since it's a substring of another string of text from a MessageLen sized buffer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants