Headline
CVE-2021-37778: There is a buffer overflow when parsing command line parameters · Issue #294 · osqzss/gps-sdr-sim
There is a buffer overflow in gps-sdr-sim v1.0 when parsing long command line parameters, which can lead to DoS or code execution.
Hi friends!
When the parameter length is greater than 100 characters of MAX_CHAR, the strcpy function overflows. A length check can be performed to fix the problem.
#define MAX_CHAR (100)
char umfile\[MAX\_CHAR\];
char navfile\[MAX\_CHAR\];
char outfile\[MAX\_CHAR\];
while ((result=getopt(argc,argv,"e:u:g:c:l:o:s:b:T:t:d:iv"))!=-1)
{
switch (result)
{
case 'e':
strcpy(navfile, optarg);
break;
case 'u':
strcpy(umfile, optarg);
nmeaGGA = FALSE;
break;
case 'g':
strcpy(umfile, optarg);
nmeaGGA = TRUE;
break;
case 'c':
// Static ECEF coordinates input mode
staticLocationMode = TRUE;
sscanf(optarg,"%lf,%lf,%lf",&xyz\[0\]\[0\],&xyz\[0\]\[1\],&xyz\[0\]\[2\]);
break;
case 'l':
// Static geodetic coordinates input mode
// Added by [email protected]
staticLocationMode = TRUE;
sscanf(optarg,"%lf,%lf,%lf",&llh\[0\],&llh\[1\],&llh\[2\]);
llh\[0\] = llh\[0\] / R2D; // convert to RAD
llh\[1\] = llh\[1\] / R2D; // convert to RAD
llh2xyz(llh,xyz\[0\]); // Convert llh to xyz
break;
case 'o':
strcpy(outfile, optarg);
break;