Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Memory corruption during execution of shell commands #146

Closed
beitler opened this issue Jan 11, 2022 · 0 comments
Closed

Memory corruption during execution of shell commands #146

beitler opened this issue Jan 11, 2022 · 0 comments

Comments

@beitler
Copy link
Contributor

beitler commented Jan 11, 2022

The sys_execCommand function in sys_linux.c is used to execute various shell commands from inside basics station. The main use cases for this function are executing the radio reset script at startup, executing the executable blob inside the CUPS response, as well es servicing the runcmd message from the LNS.

The function is built to be able to run local executables from the file system as well as inline bash scripts and non-executable script files. Whenever the argument is not a path to an executable file, the original argv list is extended in order to build a valid argv for execution. In the process a new argument vector argv2 is allocated. argv2 is an extension of the original argv by 3 more elements at the front. In total, the size of argv2 must be argc plus 4 (3 additional elements + NULL element for termination). However, the code allocates only 3 more elements than argc. Thus, the following memcpy overwrites sizeof(str_t) bytes of memory beyond the allocated space with zeros.

str_t* argv2 = rt_mallocN(str_t, argc+3);
memcpy(&argv2[3], &argv[0], sizeof(argv[0])*(argc+1)); // also copy trailing NULL

To correct this, the allocation shall take argc+4 elements of size str_t instead of argc+3:

str_t* argv2 = rt_mallocN(str_t, argc+4);
@beitler beitler changed the title Memory corruption during execution of system commands Memory corruption during execution of shell commands Jan 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant