XNU Kernel

BUG OF THE MONTH | Null pointer dereference

V512 CWE-119 A call of the ‘__builtin___memcpy_chk’ function will lead to a buffer overflow. – ADDITIONAL IN CURRENT necp_client.c 1459

V557 CWE-787 Array overrun is possible. The value of ‘length – 1’ index could reach 23. – ADDITIONAL IN CURRENT necp_client.c 1460

#define  IFNAMSIZ   16
#define  IFXNAMSIZ  (IFNAMSIZ + 8)

static inline const char *
  for (index = 0; index < MAX_ROUTE_RULE_INTERFACES; index++) {
    if (route_rule->exception_if_indices[index] != 0) {
      ifnet_t interface = ifindex2ifnet[....];
               IFXNAMSIZ, "%s%d", ifnet_name(interface),
    } else {
      memset(interface_names[index], 0, IFXNAMSIZ);

The elements of the array interface_names[10..23][….] are not used, because the variable index in the loop takes values [0..9]. But the elements of interface_names[0..9][….] begin to overlap each other. I.e. some data overwrites the other.

The result is just nonsense. A part of the array remains uninitialized, and the other part contains a “mush”, when data was written over the already written data.

Please click here to see more bugs from this project.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.