Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-35161: buffer overflow in SerialConsole.cpp · Issue #27 · collin80/GVRET

GVRET Stable Release as of Aug 15, 2015 was discovered to contain a buffer overflow via the handleConfigCmd function at SerialConsole.cpp.

CVE
#vulnerability#git#buffer_overflow

hi, great project!

There is a buffer overflow vulnerability in the handleConfigCmd function of the SerialConsole.cpp file. When cmdString == String(“FILEEXT”)), the newString is copied to fileNameExt without checking the length, and overflow may occur.

void SerialConsole::handleConfigCmd() { int i; int newValue; char *newString; bool writeEEPROM = false; bool writeDigEE = false; char *dataTok;

if (ptrBuffer < 6)
    return; //4 digit command, =, value is at least 6 characters
cmdBuffer\[ptrBuffer\] = 0; //make sure to null terminate
String cmdString = String();
unsigned char whichEntry = '0';
i = 0;

while (cmdBuffer\[i\] != '\=' && i < ptrBuffer) {
    cmdString.concat(String(cmdBuffer\[i++\]));
}
i++; //skip the =
if (i >= ptrBuffer) {
    Logger::console("Command needs a value..ie TORQ=3000");
    Logger::console("");
    return; //or, we could use this to display the parameter instead of setting
}

newValue = strtol((char \*) (cmdBuffer + i), NULL, 0); //try to turn the string into a number
newString = (char \*)(cmdBuffer + i); //leave it as a string

if (cmdString == String("CAN0EN")) {

} else if (cmdString == String("FILEBASE")) {
    Logger::console("Setting File Base Name to %s", newString);
    strcpy((char \*)settings.fileNameBase, newString);
    writeEEPROM = true;
} else if (cmdString == String("FILEEXT")) {
    Logger::console("Setting File Extension to %s", newString);
    strcpy((char \*)settings.fileNameExt, newString);
    writeEEPROM = true;

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda