Stack-based Buffer Overflow in FalconChristmas/fpp

Valid
Reported on May 30th 2021

✍️ Description

Hi, there is a stack based buffer overflow in https://github.com/FalconChristmas/fpp/blob/f4a1621c8be15a41305269830b700a2b5443aa0f/src/command.c#L131 :

When ./fpp is running it can send commands to ./fppd, a daemon that runs a main loop and listen for incoming socket connections :

In src/fppd.c

int main(int argc, char *argv[])
{
    /*We are in src/fppd.c*/

    MainLoop();
}

void MainLoop(void)
{
    int sock = Command_Initialize();
    /**/
    if (sock >= 0) {
        callbacks[sock] = [] (int i) {
            CommandProc();//CommandProc is in src/command.c and it will process incoming connections
            return false;
        };
    }
}

Now in src/command.c :

void CommandProc()
{
    char command[256];
    char ocommand[256];

    /**/
    bytes_received = recvfrom(socket_fd, command, 256, 0,
                              (struct sockaddr *) &(client_address),
                              &address_length);
    // recieveing at most 256 bytes of data
    
    /**/

    while (bytes_received > 0) {
        memcpy(ocommand, command, bytes_received);
        ocommand[bytes_received] = 0;
        char response[1500] = "\n";
        char *response2 = ProcessCommand(command, response);//call to the vulnerable function !
    }
/**/
}

We see that CommandProc is recieving commands that can be 256 bytes long. Then ProcessCommand is called using the potentially 256 bytes long command variable. However, this functions is somehow expecting a 64 bytes long command only :

char *ProcessCommand(char *command, char *response)
{
    char *s;
    /**/
    char CommandStr[64];
    /**/
    s = strtok(command,",");
    strcpy(CommandStr, s);//command can be 256 bytes long !
   /**/
}}

💥 Impact

Crash, Code execution if a rogue attacker can send commands to ./fppd (by using ./fpp or by connecting to the daemon)