| शीर्षक | Tomato by Shibby Tomato Firmware Tomato v1.28.0000 -120 K26ARM USB AIO-64K Out-of-bounds Write |
|---|
| विवरण | All three apcupsd CGI programs share a common main() function pattern that reads the configuration file /usr/local/apcupsd/multimon.conf line by line. During parsing, the code performs an out-of-bounds NUL byte write that extends beyond the target stack buffer:
char v26[4096]; // stack buffer
char v27[6]; // adjacent small buffer
fgets(v27, 512, config_file); // reads up to 512 bytes from multimon.conf
v26[strlen(v27) + 4095] = 0; // OOB write when strlen(v27) > 0
The fgets(v27, 512, ...) call reads up to 512 bytes into v27, a 6-byte buffer adjacent to larger stack variables. The subsequent expression v26[strlen(v27) + 4095] = 0 writes a NUL byte at an offset from v26 that depends on the length of the line read. When strlen(v27) > 1, the write exceeds the 4096-byte bound of v26, corrupting adjacent stack data including saved registers and return addresses. |
|---|
| स्रोत | ⚠️ https://gitee.com/Fengyi-Wang/CVE/issues/IJTQ5N |
|---|
| उपयोगकर्ता | Anonymous User |
|---|
| सबमिशन | 10/06/2026 03:56 PM (1 महीना पहले) |
|---|
| संयम | 12/07/2026 11:01 PM (1 month later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 377895 [Shibby Tomato तक 1.28.0000 apcupsd tomatodata.cgi main बफ़र ओवरफ़्लो] |
|---|
| अंक | 20 |
|---|