Potential buffer overflow in RecordCommand() function in bzfs module #342

vien2024 · 2024-02-28T03:08:38Z

General

I spot a potential buffer overflow in the RecordCommand() function in commands.cxx file in bzfs module:
https://github.com/BZFlag-Dev/bzflag/blob/2.4/src/bzfs/commands.cxx

Description

The filename array has fixed length, user-input buffer could overflow the filename array in sscanf() due to unchecked length.

            Record::sendHelp (t);
    }
    else if (strncasecmp (buf, "save", 4) == 0)
    {
        buf = buf + 4;
        char filename[MessageLen];

        while ((*buf != '\0') && isspace (*buf)) buf++; // eat whitespace
        if (*buf == '\0')
        {
            Record::sendHelp (t);
            return true;
        }

        // get the filename
        sscanf (buf, "%s", filename); // BUFFER OVERFLOW due to unchecked size (lines 3667)

Impact

This could lead to denial of service of the program.

The text was updated successfully, but these errors were encountered:

blast007 · 2024-03-16T16:24:22Z

If I'm reading the other code correctly, the length of buf should always be less than MessageLen since it's a substring of another string of text from a MessageLen sized buffer.

blast007 added this to the 2.4.28 milestone Mar 16, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Potential buffer overflow in RecordCommand() function in bzfs module #342

Potential buffer overflow in RecordCommand() function in bzfs module #342

vien2024 commented Feb 28, 2024

blast007 commented Mar 16, 2024

Potential buffer overflow in RecordCommand() function in bzfs module #342

Potential buffer overflow in RecordCommand() function in bzfs module #342

Comments

vien2024 commented Feb 28, 2024

General

Description

Impact

blast007 commented Mar 16, 2024