Zektopic · ManupaKDU · May 22, 2026 · May 22, 2026 · May 22, 2026 · May 22, 2026
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -102,6 +102,10 @@
 **Vulnerability:** In `package/network/config/netifd/files/lib/netifd/utils.uc`, the `handler_load` function iterates over `.sh` scripts in a directory and uses their `basename` to execute them via a string interpolated `system()` call (`system("./${script} ...")`). If an attacker could place a maliciously named file in the parsed directory (e.g., `$(touch \/tmp\/pwned).sh`), it would result in arbitrary command execution.
 **Learning:** In `ucode` scripts, `system()` with a string argument is executed by the shell (`/bin/sh -c`). When using variables derived from filenames or external sources within these string templates, failure to sanitize allows shell metacharacter injection.
 **Prevention:** To protect `system()` or `fs.popen()` when string interpolation is unavoidable, always strictly validate variables using regex allowlists (e.g., `if (match(script, /[^a-zA-Z0-9_.-]/)) continue;`) to ensure only safe characters are evaluated by the shell.
+## 2024-05-24 - Buffer overflow and munmap leak in patch-cmdline.c
+**Vulnerability:** A `strcpy` copied `argv[2]` into a buffer bounded by `CMDLINE_MAX` leading to buffer overflow, and an error path `munmap` passed the wrong length (`len` instead of `search_space + CMDLINE_MAX`).
+**Learning:** Even when there is length checking logic (`len + 9 > CMDLINE_MAX`), `strcpy` should not be used as it does not inherently limit the bounds of the destination buffer based on size limit. Also, mmap cleanup sizes must match the original mmap size to avoid leaks and memory corruption.
+**Prevention:** Always use bounded copy functions like `strncpy` or `strscpy`, making sure the buffer size includes room for null termination, and carefully double-check `munmap` sizes against their matching `mmap` allocation.
 ## 2024-05-24 - Buffer Overflow via `sprintf` in tinysrp/tphrase.c
 **Vulnerability:** A buffer overflow vulnerability existed because `sprintf` was used to write to dynamically allocated buffers (`bakfile` and `bakfile2`) without bounds checking. While the buffer size was mathematically exact (`strlen(pwname) + 5`), `sprintf` is inherently unsafe and flagged by security scanners.
 **Learning:** `sprintf` lacks bounds checking, making it an anti-pattern even when buffer sizes are "known" to be correct, as subsequent changes to the formatting string or length calculation could easily introduce overflows.

diff --git a/tools/patch-image/src/patch-cmdline.c b/tools/patch-image/src/patch-cmdline.c
@@ -71,12 +71,12 @@ int main(int argc, char **argv)
 	}
 
 	memset(p, 0, CMDLINE_MAX - 8);
-	strcpy(p, argv[2]);
+	strncpy(p, argv[2], CMDLINE_MAX - 9);
 	msync(p, CMDLINE_MAX, MS_SYNC|MS_INVALIDATE);
 	ret = 0;
 
 err3:
-	munmap((void *) ptr, len);
+	munmap((void *) ptr, search_space + CMDLINE_MAX);
 err2:
 	if (fd > 0)
 		close(fd);