iPhone usbmuxd buffer overflow

In June of 2010 I wrote about upgrading the iPhone on Linux. I just noticed a report (CVE-2012-0065) that there is no boundary specified in the “SerialNumber” field of usbmuxd (USB multiplexor daemon for iPhone) in the “receive_packet()” function (libusbmuxd/libusbmuxd.c), as shown in a recent update and diff on git.marcansoft.com

diff --git a/libusbmuxd/libusbmuxd.c b/libusbmuxd/libusbmuxd.c

index e06ee61..98e92df 100644 (file)

--- a/libusbmuxd/libusbmuxd.c
+++ b/libusbmuxd/libusbmuxd.c
@@ -189,7 +189,7 @@ static int receive_packet(int sfd, struct usbmuxd_header *header, void **payload
                                char *strval = NULL;
                                plist_get_string_val(n, &strval);
                                if (strval) {
-                                       strcpy(dev->serial_number, strval);
+                                       strncpy(dev->serial_number, strval, 255);
                                n = plist_dict_get_item(props, "LocationID");

It could lead to a heap-based buffer overflow. Not all versions are affected. RedHat indicates the flaw was introduced after 1.0.5 last July along with plist-based support. That’s why Canonical shows Ubuntu 10 as not-affected but 11 needs a patch.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.