Null pointer dereference
V512 CWE-119 A call of the ‘__builtin___memcpy_chk’ function will lead to a buffer overflow. – ADDITIONAL IN CURRENT necp_client.c 1459
V557 CWE-787 Array overrun is possible. The value of ‘length – 1’ index could reach 23. – ADDITIONAL IN CURRENT necp_client.c 1460
#define IFNAMSIZ 16 #define IFXNAMSIZ (IFNAMSIZ + 8) #define MAX_ROUTE_RULE_INTERFACES 10 static inline const char * necp_get_result_description(....) { .... char interface_names[IFXNAMSIZ][MAX_ROUTE_RULE_INTERFACES]; .... for (index = 0; index < MAX_ROUTE_RULE_INTERFACES; index++) { if (route_rule->exception_if_indices[index] != 0) { ifnet_t interface = ifindex2ifnet[....]; snprintf(interface_names[index], IFXNAMSIZ, "%s%d", ifnet_name(interface), ifnet_unit(interface)); } else { memset(interface_names[index], 0, IFXNAMSIZ); } } .... }
The elements of the array interface_names[10..23][….] are not used, because the variable index in the loop takes values [0..9]. But the elements of interface_names[0..9][….] begin to overlap each other. I.e. some data overwrites the other.
The result is just nonsense. A part of the array remains uninitialized, and the other part contains a “mush”, when data was written over the already written data.
Please click here to see more bugs from this project.