[BusyBox 0001520]: Incorrect usage of strncat in coreutils/stat.c

bugs at busybox.net bugs at busybox.net
Fri Oct 5 13:32:30 PDT 2007 

The following issue has been CLOSED 
====================================================================== 
http://busybox.net/bugs/view.php?id=1520 
====================================================================== 
Reported By:                d3z
Assigned To:                BusyBox
====================================================================== 
Project:                    BusyBox
Issue ID:                   1520
Category:                   Security
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     closed
Resolution:                 open
Fixed in Version:           
====================================================================== 
Date Submitted:             10-04-2007 00:19 PDT
Last Modified:              10-05-2007 13:32 PDT
====================================================================== 
Summary:                    Incorrect usage of strncat in coreutils/stat.c
Description: 
coreutils/stat.c contains numerous instances of 'strncat' that are
incorrect.

  strncat(pformat, "s", buf_len);

should instead read something like:

  strncat(pformat, "s", buf_len-strlen(pformat)-1);

This could cause a buffer overflow if the buffer size computations were
incorrect.
====================================================================== 

---------------------------------------------------------------------- 
 vda - 10-05-07 13:32  
---------------------------------------------------------------------- 
Can be replaced by plain strcat, we do have enough buffer space there.

Fixed in svn, thanks.

function                                             old     new   delta
printfs                                                -      28     +28
strcatc                                                -      26     +26
human_time                                            41      44      +3
print_it                                             229     219     -10
buf                                                   30       -     -30
print_statfs                                         420     358     -62
print_stat                                          1089     921    -168
------------------------------------------------------------------------------
(add/remove: 2/1 grow/shrink: 1/3 up/down: 57/-270)          Total: -213
bytes
   text    data     bss     dec     hex filename
 771105    1029    9552  781686   bed76 busybox_old
 770892    1029    9520  781441   bec81 busybox_unstripped 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
10-04-07 00:19  d3z            New Issue                                    
10-04-07 00:19  d3z            Status                   new => assigned     
10-04-07 00:19  d3z            Assigned To               => BusyBox         
10-05-07 13:32  vda            Status                   assigned => closed  
10-05-07 13:32  vda            Note Added: 0002812                          
======================================================================

More information about the busybox-cvs mailing list