xinetd probe: bound paths and strans keys; export oscap_path_join#2349
Draft
Mab879 wants to merge 1 commit into
Draft
xinetd probe: bound paths and strans keys; export oscap_path_join#2349Mab879 wants to merge 1 commit into
Mab879 wants to merge 1 commit into
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
jan-cerny
reviewed
May 7, 2026
| * path by exactly 1 slash separator. | ||
| */ | ||
| char *oscap_path_join(const char *path1, const char *path2); | ||
| OSCAP_API char *oscap_path_join(const char *path1, const char *path2); |
Member
There was a problem hiding this comment.
Function prototypes marked with OSCAP_API need to be put in a public header file. Please move it for example to src/common/public/oscap.h.
Mab879
force-pushed
the
cursor/xinetd-probe-bounded-paths-and-strans
branch
4 times, most recently
from
474e82d to
3a6fadc
Compare
Use snprintf and length checks for stack buffers; build includedir paths with oscap_path_join. Mark oscap_path_join OSCAP_API for embedded tests. Add regression test for oversized name+protocol key. Co-authored-by: Cursor <cursoragent@cursor.com>
Mab879
force-pushed
the
cursor/xinetd-probe-bounded-paths-and-strans
branch
from
3a6fadc to
9d2f7f0
Compare
|
edznux-dd
added a commit
to edznux-dd/openscap
that referenced
this pull request
Jun 12, 2026
Bugs found by fuzzing xiconf_parse()/xiconf_parse_section() with crafted
xinetd configuration content. A regression test exercising each case is
added in a follow-up commit (tests/probes/xinetd).
- A line with no trailing newline set the line length to the whole file
length instead of the bytes remaining from the current offset, so the
fixed line buffer was overflowed by memcpy() (heap-buffer-overflow). Two
sites: the top-level scanner and xiconf_parse_section().
- An unterminated service section ran its for(;;) reader past the end of
the in-memory file; bound the loop to inoff < inlen and guard the
section entry against inoff already being at/after the end.
- *strchr(buffer, ' ') = '\0' dereferenced NULL when the copied line
contained an embedded NUL (arbitrary file content), at two sites
(keyword and service name). Check the result before writing.
- For a keyword with no value, op was set past the keyword's NUL
terminator, reading out of bounds; only step past it when a value
follows.
- A (name, protocol) translation key was built with strcpy()/strcat()
into a fixed buffer with no NULL or length check; a NULL protocol
dereferenced and an over-long name+protocol overflowed it. Guard both,
matching the checks already in xiconf_getservice().
- xiconf_service_free() recursed over the ->next chain; a long crafted
chain overflowed the stack. Free iteratively.
- On an unrecognized type value, scur->type (strdup'd, later free'd) was
reassigned to a string literal -> invalid free, and the old value
leaked. Free the old value and strdup("").
- op_assign_str() leaked the previous value when an attribute was
repeated within a section; free before reassigning.
We are aware of the in-progress hardening in OpenSCAP#2349, which touches this
file; its scope (include-path handling) is narrower and does not cover
the bugs above. Two findings overlap and are reconciled here.
edznux-dd
added a commit
to edznux-dd/openscap
that referenced
this pull request
Jun 12, 2026
Bugs found by fuzzing xiconf_parse()/xiconf_parse_section() with crafted
xinetd configuration content. A regression test exercising each case is
added in a follow-up commit (tests/probes/xinetd).
- A line with no trailing newline set the line length to the whole file
length instead of the bytes remaining from the current offset, so the
fixed line buffer was overflowed by memcpy() (heap-buffer-overflow). Two
sites: the top-level scanner and xiconf_parse_section().
- An unterminated service section ran its for(;;) reader past the end of
the in-memory file; bound the loop to inoff < inlen and guard the
section entry against inoff already being at/after the end.
- *strchr(buffer, ' ') = '\0' dereferenced NULL when the copied line
contained an embedded NUL (arbitrary file content), at two sites
(keyword and service name). Check the result before writing.
- For a keyword with no value, op was set past the keyword's NUL
terminator, reading out of bounds; only step past it when a value
follows.
- A (name, protocol) translation key was built with strcpy()/strcat()
into a fixed buffer with no NULL or length check; a NULL protocol
dereferenced and an over-long name+protocol overflowed it. Guard both,
matching the checks already in xiconf_getservice().
- xiconf_service_free() recursed over the ->next chain; a long crafted
chain overflowed the stack. Free iteratively.
- On an unrecognized type value, scur->type (strdup'd, later free'd) was
reassigned to a string literal -> invalid free, and the old value
leaked. Free the old value and strdup("").
- op_assign_str() leaked the previous value when an attribute was
repeated within a section; free before reassigning.
We are aware of the in-progress hardening in OpenSCAP#2349, which touches this
file; its scope (include-path handling) is narrower and does not cover
the bugs above. Two findings overlap and are reconciled here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Use snprintf and length checks for stack buffers; build includedir paths with oscap_path_join. Mark oscap_path_join OSCAP_API for embedded tests. Add regression test for oversized name+protocol key.
Fixes various code issues in this file.