"John Berry" john.n.berry@gmail.com
Cromulence
This is a basic message application with the ability to create new users, log in to existing users and send messages to others.
A user can create new users and subsequently log in to their new account. From here they can send a message to a user, read a single message, list all of their messages, delete a message, log out, or exit the program. Once back at the log in screen they can create additional users, log in, or exit the program. Any new messages are automatically displayed to the user.
Messages are stored in a singly linked list and have a field indicating whether or not they have been read by the recipient.
When a user logs in, all unread messages are written to a single buffer which is then displayed to the newly logged in user via the function list_unread_messages(). The display buffer is calculated by first counting the number of unread messages and multiplying this by the size that each message will require. However, the count field is only 8-bits. If the user has greater than 255 unread messages this field will wrap around. Since the buffer size is calcluated based upon this count, an overflow will result in a buffer of insufficient size to hold the message data. The crash will actually occur in the strlen() function due to local variables being overwritten.
Integer overflow resulting in an incorrectly sized small buffer and subsequently a buffer overflow.
CWE-190 Integer overflow or wraparound CWE-131 Incorrect calculation of buffer size CWE-120 Buffer copy without checking size of input
The root cause of this vulnerablity is CWE-190 but it results in CWE-131 and since the size of the write is not checked, the ultimate crash is due to CWE-120.
The attacker must be able to determine that the size field is based upon messages sent and that sending messages to themselves will not be enough to trigger the vulnerability.
Curated by Lunge Technology, LLC. Questions or comments? Send us email