OpenSatKit Stack Buffer Overflow Vulnerability in Directory Name Handling

A stack buffer overflow vulnerability has been identified in OpenSatKit version 2.2.1. The issue arises in the file management module, specifically within the 'DIR_DeleteAllCmd' function. The vulnerability is caused by the 'DirName' field in telecommands, which is treated as untrusted input. The program copies this field into a local buffer, 'DirWithSep', using 'strcpy' without proper bounds checking. The buffer size is defined by 'OS_MAX_PATH_LEN'. If 'DirName' is equal to or exceeds this length, a buffer overflow occurs, overwriting adjacent stack memory. The vulnerability is exacerbated by the fact that the path length validation is performed after the copy operation, allowing the overflow to occur before any checks can be applied.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, causing memory corruption by overwriting adjacent stack memory.

Reproduction

The vulnerability can be reproduced by sending a telecommand that includes a 'DirName' field with a length equal to or greater than 'OS_MAX_PATH_LEN'. This will trigger the buffer overflow by overwriting adjacent stack memory.