[BUG] Stack buffer overflow: unclamped sdl_nlen in net_if_stats (BSD)

[Fuyugithub]

Bug Description

In psutil/arch/bsd/net.c, sdl->sdl_nlen from kernel data is used as a length for strncpy and as an index for null-termination without being bounds-checked against the 32-byte ifc_name buffer.

Location

psutil/arch/bsd/net.c:49-52

Code

char ifc_name[32];
strncpy(ifc_name, sdl->sdl_data, sdl->sdl_nlen);    // overflow if sdl_nlen >= 32
ifc_name[sdl->sdl_nlen] = '\0';                      // write past buffer end

Impact

If sdl->sdl_nlen >= 32 (from a malformed or unusual kernel response), this overflows the stack buffer, potentially enabling:

• Stack smashing / crash
• Control flow hijacking (stack-based buffer overflow is CWE-121)

Note: The equivalent code in osx/net.c:78-79 correctly clamps the length:

if (namelen >= IFNAMSIZ) namelen = IFNAMSIZ - 1;

Suggested Fix

char ifc_name[32];
u_char namelen = sdl->sdl_nlen;
if (namelen >= sizeof(ifc_name))
    namelen = sizeof(ifc_name) - 1;
strncpy(ifc_name, sdl->sdl_data, namelen);
ifc_name[namelen] = '\0';

Environment

• OS: FreeBSD, NetBSD, OpenBSD
• psutil version: current main (commit 7b6a9a6)
• Affected API: psutil.net_if_stats()