Laurent Bercot <ska-de...@skarnet.org> writes: [...]
>> int saveFile(char* essid, char* pw) //argv[2], argv[3] >> { >> char ifilename[1024]; >> strcpy(ifilename, path_to_interfaces_files); >> >> strcat(ifilename, "/"); >> strcat(ifilename, essid); > > Boom. You're dead. [...] > ifilename is 1024 bytes long. You are assuming that essid, and > whatever comes afterwards, will fit into 1024 bytes. This is true > for normal inputs, which is certainly what you tested your program > against, but the input is given as a command line argument to your > program: you do not control the input. *The user* controls the input. > And a malicious user could very well give an essid argument that is > longer than 1024 bytes. That's presumably not much of a problem because a single user attacking his own system is probably not much of a problem: Break whatever you like. It's yours. A more interesting issue is that 'essid' is likely something harvested from AP broadcasting one. According to a quick check, a valid ESSID can be at most 32 octets and it can't be more than 256 octets even if someone configures something he controls to send invalid ESSIDs and the software processing these doesn't check since there's a 1 byte length field. This means the code above, when used as intended, it likely 'accidentally safe' but relying on 'lucky accidents' like this is nevertheless an extremely bad idea. _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng