[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Stack BufferOverflow in readelf.c
From: |
Andreas Schwab |
Subject: |
Re: Stack BufferOverflow in readelf.c |
Date: |
Thu, 27 Apr 2023 19:50:54 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) |
On Apr 27 2023, 2ourc3 1er wrote:
> The function includes a declaration of a fixed-sized buffer, *char
> name_buf[40];*, which is used later in the function with the *sprintf*
> function:* sprintf* (*name_buf*, "<section 0x%x>",
> (unsigned int) *psym->st_shndx*);
>
> The problem with this implementation is that the st_shndx argument used in
> sprintf is controlled by the user, and therefore, could be larger than the
> size of the buffer, leading to a Stack BufferOverflow on the buffer
> *name_buf.*
That is obviously impossible: psym->st_shndx can be at most 65535, so it
cannot be larger than 4 characters when formatted as a hexadecimal
number.
--
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1
"And now for something completely different."