You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The sys_execCommand function in sys_linux.c is used to execute various shell commands from inside basics station. The main use cases for this function are executing the radio reset script at startup, executing the executable blob inside the CUPS response, as well es servicing the runcmd message from the LNS.
The function is built to be able to run local executables from the file system as well as inline bash scripts and non-executable script files. Whenever the argument is not a path to an executable file, the original argv list is extended in order to build a valid argv for execution. In the process a new argument vector argv2 is allocated. argv2 is an extension of the original argv by 3 more elements at the front. In total, the size of argv2 must be argc plus 4 (3 additional elements + NULL element for termination). However, the code allocates only 3 more elements than argc. Thus, the following memcpy overwrites sizeof(str_t) bytes of memory beyond the allocated space with zeros.
The
sys_execCommand
function insys_linux.c
is used to execute various shell commands from inside basics station. The main use cases for this function are executing the radio reset script at startup, executing the executable blob inside the CUPS response, as well es servicing theruncmd
message from the LNS.The function is built to be able to run local executables from the file system as well as inline bash scripts and non-executable script files. Whenever the argument is not a path to an executable file, the original
argv
list is extended in order to build a validargv
for execution. In the process a new argument vectorargv2
is allocated.argv2
is an extension of the originalargv
by 3 more elements at the front. In total, the size ofargv2
must beargc
plus 4 (3 additional elements + NULL element for termination). However, the code allocates only 3 more elements thanargc
. Thus, the followingmemcpy
overwritessizeof(str_t)
bytes of memory beyond the allocated space with zeros.basicstation/src-linux/sys_linux.c
Lines 530 to 531 in 6675c77
To correct this, the allocation shall take
argc+4
elements of sizestr_t
instead ofargc+3
:The text was updated successfully, but these errors were encountered: