| 제목 | Tomato by Shibby Tomato Firmware 1.28 Stack-based Buffer Overflow |
|---|
| 설명 | All three apcupsd CGI programs share a common getupsvar() function that retrieves UPS status data from the apcupsd daemon via TCP port 3551. For 31 out of 37 recognized field names (those with internal flag v11 == 1), the function extracts the field value using:
sscanf(line_ptr, "%*s %*s %s", caller_buffer);
The %s format specifier has no field-width limiter and writes unlimited bytes until whitespace. The caller-supplied buffer size parameter (a4) is present in the function signature but completely ignored in this code path. Typical callers pass 64-byte stack buffers. |
|---|
| 원천 | ⚠️ https://gitee.com/Fengyi-Wang/CVE/issues/IJTQ5M |
|---|
| 사용자 | Anonymous User |
|---|
| 제출 | 2026. 06. 10. PM 03:53 (1 월 ago) |
|---|
| 모더레이션 | 2026. 07. 12. PM 11:01 (1 month later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 377894 [Shibby Tomato 까지 1.28.0000 apcupsd tomatodata.cgi getupsvar 들 메모리 손상] |
|---|
| 포인트들 | 20 |
|---|