From f58698457a4135141b5359278deb29cd53aea7d2 Mon Sep 17 00:00:00 2001 From: orbisai0security Date: Thu, 18 Jun 2026 02:32:21 +0000 Subject: [PATCH 1/3] fix: V-001 security vulnerability Automated security fix generated by OrbisAI Security --- build_vxworks/util/db_hotbackup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build_vxworks/util/db_hotbackup.c b/build_vxworks/util/db_hotbackup.c index bc8b6e384..beb51f777 100644 --- a/build_vxworks/util/db_hotbackup.c +++ b/build_vxworks/util/db_hotbackup.c @@ -452,7 +452,7 @@ db_hotbackup_env_init(dbenvp, home, log_dirp, data_dirp, passwd, which, verbose) * trim the home directory from the data directory * passed in. */ - (void) sprintf(buf, "%s/%s", home, home); + (void) snprintf(buf, sizeof(buf), "%s/%s", home, home); homehome = 0; (void)__os_exists(dbenv->env, buf, &homehome); From 7804fc9a474361dd87ed93d5f2fffd9e6b6c3dff Mon Sep 17 00:00:00 2001 From: orbisai0security Date: Thu, 18 Jun 2026 02:34:04 +0000 Subject: [PATCH 2/3] fix: add buffer-length check in db_hotbackup.c The db_hotbackup utility at line 455 uses sprintf() to construct a file path by concatenating the 'home' directory parameter with itself without any bounds checking --- test/test_invariant_db_hotbackup.c | 81 ++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 test/test_invariant_db_hotbackup.c diff --git a/test/test_invariant_db_hotbackup.c b/test/test_invariant_db_hotbackup.c new file mode 100644 index 000000000..d68fbc358 --- /dev/null +++ b/test/test_invariant_db_hotbackup.c @@ -0,0 +1,81 @@ +#include +#include +#include +#include +#include +#include +#include + +START_TEST(test_buffer_overflow_sprintf_bounds) +{ + /* Invariant: sprintf buffer read never exceeds declared buffer length */ + const char *payloads[] = { + "valid_short_path", /* valid input */ + "a", /* boundary: minimal */ + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", /* 50 chars: half typical buf */ + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", /* 200 chars: 2x overflow */ + }; + int num_payloads = sizeof(payloads) / sizeof(payloads[0]); + + for (int i = 0; i < num_payloads; i++) { + pid_t pid = fork(); + ck_assert_int_ne(pid, -1); + + if (pid == 0) { + /* Child process: run vulnerable code with payload */ + char buf[256]; + const char *home = payloads[i]; + + /* This sprintf call is vulnerable to buffer overflow */ + /* The test verifies the process doesn't crash or corrupt memory */ + snprintf(buf, sizeof(buf), "%s/%s", home, home); + + /* If we reach here without segfault, bounds were respected */ + exit(EXIT_SUCCESS); + } else { + /* Parent: wait and verify child didn't crash */ + int status; + waitpid(pid, &status, 0); + + /* Child should exit cleanly, not via signal (segfault = SIGSEGV) */ + ck_assert_msg(WIFEXITED(status), + "Payload %d caused process crash/signal", i); + ck_assert_msg(WEXITSTATUS(status) == EXIT_SUCCESS, + "Payload %d caused non-zero exit", i); + } + } +} +END_TEST + +Suite *security_suite(void) +{ + Suite *s; + TCase *tc_core; + + s = suite_create("Security"); + tc_core = tcase_create("Core"); + + tcase_add_test(tc_core, test_buffer_overflow_sprintf_bounds); + suite_add_tcase(s, tc_core); + + return s; +} + +int main(void) +{ + int number_failed; + Suite *s; + SRunner *sr; + + s = security_suite(); + sr = srunner_create(s); + + srunner_run_all(sr, CK_NORMAL); + number_failed = srunner_ntests_failed(sr); + srunner_free(sr); + + return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE; +} \ No newline at end of file From 3f52ddae2db314e1b0585329ce3048cde772ef66 Mon Sep 17 00:00:00 2001 From: OrbisAI Security Date: Sat, 20 Jun 2026 07:00:15 +0530 Subject: [PATCH 3/3] fix: apply snprintf fix to util/db_hotbackup.c and drop unusable test Per review feedback on PR #23: the previous commit patched the VxWorks copy (build_vxworks/util/db_hotbackup.c) but left the identical vulnerable sprintf call in util/db_hotbackup.c:440, which is the file actually compiled on Unix/Linux/macOS. Also drops test/test_invariant_db_hotbackup.c, which depended on (not a BerkeleyDB dependency), only tested libc's snprintf in isolation, and was not wired into any build target. Co-Authored-By: Claude Sonnet 4.6 --- test/test_invariant_db_hotbackup.c | 81 ------------------------------ util/db_hotbackup.c | 2 +- 2 files changed, 1 insertion(+), 82 deletions(-) delete mode 100644 test/test_invariant_db_hotbackup.c diff --git a/test/test_invariant_db_hotbackup.c b/test/test_invariant_db_hotbackup.c deleted file mode 100644 index d68fbc358..000000000 --- a/test/test_invariant_db_hotbackup.c +++ /dev/null @@ -1,81 +0,0 @@ -#include -#include -#include -#include -#include -#include -#include - -START_TEST(test_buffer_overflow_sprintf_bounds) -{ - /* Invariant: sprintf buffer read never exceeds declared buffer length */ - const char *payloads[] = { - "valid_short_path", /* valid input */ - "a", /* boundary: minimal */ - "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", /* 50 chars: half typical buf */ - "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" - "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" - "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" - "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", /* 200 chars: 2x overflow */ - }; - int num_payloads = sizeof(payloads) / sizeof(payloads[0]); - - for (int i = 0; i < num_payloads; i++) { - pid_t pid = fork(); - ck_assert_int_ne(pid, -1); - - if (pid == 0) { - /* Child process: run vulnerable code with payload */ - char buf[256]; - const char *home = payloads[i]; - - /* This sprintf call is vulnerable to buffer overflow */ - /* The test verifies the process doesn't crash or corrupt memory */ - snprintf(buf, sizeof(buf), "%s/%s", home, home); - - /* If we reach here without segfault, bounds were respected */ - exit(EXIT_SUCCESS); - } else { - /* Parent: wait and verify child didn't crash */ - int status; - waitpid(pid, &status, 0); - - /* Child should exit cleanly, not via signal (segfault = SIGSEGV) */ - ck_assert_msg(WIFEXITED(status), - "Payload %d caused process crash/signal", i); - ck_assert_msg(WEXITSTATUS(status) == EXIT_SUCCESS, - "Payload %d caused non-zero exit", i); - } - } -} -END_TEST - -Suite *security_suite(void) -{ - Suite *s; - TCase *tc_core; - - s = suite_create("Security"); - tc_core = tcase_create("Core"); - - tcase_add_test(tc_core, test_buffer_overflow_sprintf_bounds); - suite_add_tcase(s, tc_core); - - return s; -} - -int main(void) -{ - int number_failed; - Suite *s; - SRunner *sr; - - s = security_suite(); - sr = srunner_create(s); - - srunner_run_all(sr, CK_NORMAL); - number_failed = srunner_ntests_failed(sr); - srunner_free(sr); - - return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE; -} \ No newline at end of file diff --git a/util/db_hotbackup.c b/util/db_hotbackup.c index 08dddc884..8ab6a4681 100644 --- a/util/db_hotbackup.c +++ b/util/db_hotbackup.c @@ -437,7 +437,7 @@ env_init(dbenvp, home, log_dirp, data_dirp, passwd, which, verbose) * trim the home directory from the data directory * passed in. */ - (void) sprintf(buf, "%s/%s", home, home); + (void) snprintf(buf, sizeof(buf), "%s/%s", home, home); homehome = 0; (void)__os_exists(dbenv->env, buf, &homehome);