libcsp Buffer Overflow Vulnerability in csp_eth_init Function

A heap-based buffer overflow vulnerability has been identified in libcsp version 2.0 within the csp_eth_init() function. The issue arises from improper handling of the ifname parameter, where strcpy is used to copy the interface name into a structure member without validating the input length. This oversight allows for writing beyond the bounds of the buffer, leading to a heap overflow.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can potentially be exploited to execute arbitrary code or cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by calling the csp_eth_init() function with an interface name that exceeds CSP_IFLIST_NAME_MAX bytes. The function will then use strcpy to copy the name into a buffer, leading to a heap-buffer-overflow error, as reported by AddressSanitizer.

Remediation

Users can update to the latest version of libcsp, where this vulnerability has been addressed by replacing the unsafe strcpy call with strncpy, limiting the copy to ensure memory safety.