|
| From: | 2ourc3 1er |
| Subject: | Stack BufferOverflow in readelf.c |
| Date: | Thu, 27 Apr 2023 19:30:49 +0200 |
I am writing to bring to your attention a potential issue in the function dump_relocations in the software readelf.c.
The function includes a declaration of a fixed-sized buffer, char name_buf[40];, which is used later in the function with the sprintf function: sprintf (name_buf, "<section 0x%x>",
(unsigned int) psym->st_shndx);
The problem with this implementation is that the st_shndx argument used in sprintf is controlled by the user, and therefore, could be larger than the size of the buffer, leading to a Stack BufferOverflow on the buffer name_buf.
To prevent potential security vulnerabilities, I recommend modifying the implementation to use a dynamic buffer allocation that adjusts its size according to the length of the input argument. Otherwise, the function sprintf and snprintf allows to specify a maximum input size.
This would ensure that the buffer can accommodate all possible input values, mitigating the risk of a BufferOverflow.
Please let me know if you have any questions or concerns regarding this issue.
Best regards,
| [Prev in Thread] | Current Thread | [Next in Thread] |