Hi, there is a stack based buffer overflow in https://github.com/FalconChristmas/fpp/blob/f4a1621c8be15a41305269830b700a2b5443aa0f/src/command.c#L131 :
When ./fpp is running it can send commands to ./fppd, a daemon that runs a main loop and listen for incoming socket connections :
In src/fppd.c
int main(int argc, char *argv[])
{
/*We are in src/fppd.c*/
MainLoop();
}
void MainLoop(void)
{
int sock = Command_Initialize();
/**/
if (sock >= 0) {
callbacks[sock] = [] (int i) {
CommandProc();//CommandProc is in src/command.c and it will process incoming connections
return false;
};
}
}
Now in src/command.c :
void CommandProc()
{
char command[256];
char ocommand[256];
/**/
bytes_received = recvfrom(socket_fd, command, 256, 0,
(struct sockaddr *) &(client_address),
&address_length);
// recieveing at most 256 bytes of data
/**/
while (bytes_received > 0) {
memcpy(ocommand, command, bytes_received);
ocommand[bytes_received] = 0;
char response[1500] = "\n";
char *response2 = ProcessCommand(command, response);//call to the vulnerable function !
}
/**/
}
We see that CommandProc is recieving commands that can be 256 bytes long.
Then ProcessCommand is called using the potentially 256 bytes long command variable.
However, this functions is somehow expecting a 64 bytes long command only :
char *ProcessCommand(char *command, char *response)
{
char *s;
/**/
char CommandStr[64];
/**/
s = strtok(command,",");
strcpy(CommandStr, s);//command can be 256 bytes long !
/**/
}}
Crash, Code execution if a rogue attacker can send commands to ./fppd (by using ./fpp or by connecting to the daemon)