Guest

Preview Tool

Cisco Bug: CSCus00778 - filesys_cli crash caused by memory overflow

Last Modified

Jul 20, 2018

Products (1)

  • Cisco Carrier Routing System

Known Affected Releases

4.3.4.BASE 5.3.0.BASE

Description (partial)

Symptom:
Crash seen because of bogus path to filesys_cli that results in a buffer overflow    \
in strncpy. Crash is pointing to check_if_can_copy().
Conditions:temp = strchr(dst, FILESYS_SIGCHAR);
 strncpy(device2,dst,(temp - dst) + 1);

Basically, check_if_can_copy() is looking at this path:                              \
/net/node0_RSP0_CPU0/disk0//showtech-ipv4-dhcpd-2014-Nov-15.121633.CET.tgz , but     \
before it calls strncpy, it is looking for the string to have a colon in it via      \
strchr. but it doesn't exist; which gives us a value of 0 from strchr.
 
http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/lib_ref/s/strchr.html 
strchr Returns:
A pointer to the located character, or NULL if the character doesn't occur in the    \
string.
 
We then subtract from that 0, we wrap around and get some huge value passed to       \
strncpy (which well exceeds the buffer) and causes the segfault (as we end up        \
trying to write stuff well outside of any mapped space).

While performing copy operation, the destination string is searched for ":" in the   \
API check_if_can_copy() to extract the destination file name which is suffixed       \
after the filesystem.
Somehow, the ":" is missing from the destination string while doing copy with        \
invalid destination filesystem. 

# echo "" > /disk1:/lol
# cd /
# filesys_cli copy -a /disk1: -u lol -b /disk0/ -v - -A
Destination filename [//disk0//lol]?
Memory fault (core dumped)
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.