Unsafe against buffer overflows #4
Description
bool _5G_NB_IoT_SSL::SetSSLCertificate(unsigned int ssl_index, char *ca_cert_path, char *client_cert_path, char *client_key_path, bool validity_check)
{
char cmd[64],buf[64];
strcpy(cmd, SSL_CONFIG_PARAMETER);
if(ca_cert_path == "" && client_cert_path == "" && client_key_path == ""){
sprintf(buf, "=\"seclevel\",%d,0", ssl_index);
strcat(cmd, buf);
if(sendAndSearch(cmd, RESPONSE_OK, RESPONSE_ERROR, 5)){
return true;
}
}else if(ca_cert_path != "" && client_cert_path == "" && client_key_path == ""){
sprintf(buf, "=\"seclevel\",%d,1", ssl_index);
strcat(cmd, buf);
if(!sendAndSearch(cmd, RESPONSE_OK, RESPONSE_ERROR, 5)){
return false;
}
memset(cmd, '\0', 64);
memset(buf, '\0', 32);
strcpy(cmd, SSL_CONFIG_PARAMETER);
sprintf(buf, "=\"cacert\",%d,\"%s\"", ssl_index, ca_cert_path);
strcat(cmd, buf);
...Library uses sprintf all over the place which does no max length checking. Supplying a ca_cert_path beyond 64 characters buffer-overflows the buf variable and subsequently cmd.
There are 104 usages of sprintf in the library, many of which might be similiarly vulnerable.