Heap Buffer Overflow in xml.c

[maartendekker1998]

In the logic behind the function xml_recreate_namespace, five heap buffer overflow bugs exist (lines 268, 281, 288, 295 and 229).

Everywhere where (*(c + 5) == ':') is executed, there is no guarantee that the buffer is at least 6 bytes. If the value returned by mxmlElementGetAttrName() is 5 bytes or less (4 chars plus the null termination byte), the program will try to read out of bounds, resulting in a heap buffer overflow.

This findings are the results of a fuzzing initiative, all the fuzzing results are available in this repository

[ffontaine]

Did you report those security vulnerabilities to get CVEs assigned? This would make more people aware that easycwmpd has security vulnerabilities. Combined with the fact that this respository seems unmaintained with no release since 2019, it seems that easycwmpd shall not be used on commercial devices.