提出 #855121: Tomato by Shibby Tomato Firmware Tomato v1.28 RT-N5x MIPSR2 build 132 Max Stack-based Buffer Overflow情報

タイトルTomato by Shibby Tomato Firmware Tomato v1.28 RT-N5x MIPSR2 build 132 Max Stack-based Buffer Overflow
説明sub_407220 renders DNS server information into a JavaScript array. It allocates a fixed 128-byte stack buffer and appends each DNS entry with sprintf(&buf[strlen(buf)], ...) in a loop. The number of entries is taken from get_dns(), and the function does not verify that the accumulated string still fits in the destination buffer. char buf[128]; dns = get_dns(); strcpy(buf, "\ndns = ["); for (i = 0; i < dns[0]; ++i) { size_t len = strlen(buf); char *ip = inet_ntoa((struct in_addr)dns[2 * i + 1]); sprintf(&buf[len], "%s'%s:%u'", i ? "," : "", ip, port); } strcat(buf, "];\n"); web_puts(buf); With 8 ordinary DNS entries, the generated string reaches approximately 146 bytes before the final NUL terminator, exceeding the 128-byte stack buffer.
ソース⚠️ https://gitee.com/Fengyi-Wang/CVE/issues/IJTQ5R
ユーザー
 Cormac315 (UID 97273)
送信2026年06月10日 16:08 (1 月 ago)
モデレーション2026年07月12日 23:01 (1 month later)
ステータス承諾済み
VulDBエントリ377898 [Shibby Tomato 迄 1.28.0000 DNS List Rendering /usr/sbin/httpd sub_407220 メモリ破損]
ポイント20

Want to know what is going to be exploited?

We predict KEV entries!