net-tools/net-tools-proc_gen_fmt-buffer-overflow.patch

Backported to exclude f84cd22a921c25c56a6c194d4825dbd9ceea0e5f
From 84041080a5d4794045b098ced90e0309bcbcff44 Mon Sep 17 00:00:00 2001
From: Zephkeks <zephyrofficialdiscord@gmail.com>
Date: Sat, 17 May 2025 22:11:37 +0200
Subject: [PATCH] proc.c: Stack-based Buffer Overflow in net-tools
 (proc_gen_fmt)

Coordinated as GHSA-w7jq-cmw2-cq59.
---
 lib/proc.c | 37 ++++++++++++++++++++++++++++++++++---
 1 file changed, 34 insertions(+), 3 deletions(-)

diff --git a/lib/proc.c b/lib/proc.c
index d51d09f..02aae49 100644
--- a/lib/proc.c
+++ b/lib/proc.c
@@ -17,6 +17,8 @@ char *proc_gen_fmt(const char *name, int more, FILE * fh,...)
     char buf[512], format[512] = "";
     char *title, *head, *hdr;
     va_list ap;
+    size_t format_len = 0;
+    size_t format_size = sizeof(format);
 
     if (!fgets(buf, (sizeof buf) - 1, fh))
 	return NULL;
@@ -33,14 +35,43 @@ char *proc_gen_fmt(const char *name, int more, FILE * fh,...)
 	    *hdr++ = 0;
 
 	if (!strcmp(title, head)) {
-	    strcat(format, va_arg(ap, char *));
+	    const char *arg = va_arg(ap, char *);
+	    size_t arg_len = strlen(arg);
+
+	    /* Check if we have enough space for format specifier + space */
+	    if (format_len + arg_len + 1 >= format_size) {
+		fprintf(stderr, "warning: format buffer overflow in %s\n", name);
+		va_end(ap);
+		return NULL;
+	    }
+
+	    strcpy(format + format_len, arg);
+	    format_len += arg_len;
+
 	    title = va_arg(ap, char *);
 	    if (!title || !head)
 		break;
 	} else {
-	    strcat(format, "%*s");	/* XXX */
+	    /* Check if we have enough space for "%*s" */
+	    if (format_len + 3 >= format_size) {
+		fprintf(stderr, "warning: format buffer overflow in %s\n", name);
+		va_end(ap);
+		return NULL;
+	    }
+
+	    strcpy(format + format_len, "%*s");
+	    format_len += 3;
 	}
-	strcat(format, " ");
+
+	/* Check if we have space for the trailing space */
+	if (format_len + 1 >= format_size) {
+	    fprintf(stderr, "warning: format buffer overflow in %s\n", name);
+	    va_end(ap);
+	    return NULL;
+	}
+
+	format[format_len++] = ' ';
+	format[format_len] = '\0';
     }
     va_end(ap);
 
-- 
2.48.1