XNU Kernel

Null pointer dereference

V512 CWE-119 A call of the ‘__builtin___memcpy_chk’ function will lead to a buffer overflow. – ADDITIONAL IN CURRENT necp_client.c 1459

V557 CWE-787 Array overrun is possible. The value of ‘length – 1’ index could reach 23. – ADDITIONAL IN CURRENT necp_client.c 1460

#define  IFNAMSIZ   16
#define  IFXNAMSIZ  (IFNAMSIZ + 8)
#define MAX_ROUTE_RULE_INTERFACES 10

static inline const char *
necp_get_result_description(....)
{
  ....
  char interface_names[IFXNAMSIZ][MAX_ROUTE_RULE_INTERFACES];
  ....
  for (index = 0; index < MAX_ROUTE_RULE_INTERFACES; index++) {
    if (route_rule->exception_if_indices[index] != 0) {
      ifnet_t interface = ifindex2ifnet[....];
      snprintf(interface_names[index],
               IFXNAMSIZ, "%s%d", ifnet_name(interface),
               ifnet_unit(interface));
    } else {
      memset(interface_names[index], 0, IFXNAMSIZ);
    }
  }
  ....
}

The elements of the array interface_names[10..23][….] are not used, because the variable index in the loop takes values [0..9]. But the elements of interface_names[0..9][….] begin to overlap each other. I.e. some data overwrites the other.

The result is just nonsense. A part of the array remains uninitialized, and the other part contains a “mush”, when data was written over the already written data.

Please click here to see more bugs from this project.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.