[BusyBox 0004184]: printf buffer overflow
bugs at busybox.net
bugs at busybox.net
Thu Jul 17 02:16:54 PDT 2008
A NOTE has been added to this issue.
======================================================================
http://busybox.net/bugs/view.php?id=4184
======================================================================
Reported By: cristic
Assigned To: BusyBox
======================================================================
Project: BusyBox
Issue ID: 4184
Category: Other
Reproducibility: always
Severity: minor
Priority: normal
Status: assigned
======================================================================
Date Submitted: 07-16-2008 17:32 PDT
Last Modified: 07-17-2008 02:16 PDT
======================================================================
Summary: printf buffer overflow
Description:
Hi, "printf %" leads to a buffer overflow, and prints random values from
the stack:
This should be rejected as in Coreutils:
$ printf %
./printf: %: invalid conversion specification
The problem is that printf does not validate the format specifier. One
possible fix would be to add a check along these lines this after line 201
in
printf.c:
direc_start = f++;
+ if (*f == '\0')
+ fprintf(stderr, "invalid conversion
specification");
direc_length = 1;
field_width = precision = -1;
if (*f == '%') {
bb_putchar('%');
break;
}
Thanks,
Cristian
======================================================================
----------------------------------------------------------------------
bernhardf - 07-17-08 01:02
----------------------------------------------------------------------
bb_error_msg_and_die("invalid conversion specification"), yes.
What tool of yours is that? Is it available somewhere? Just curious since
it sounds quite useful.. :)
----------------------------------------------------------------------
vda - 07-17-08 02:16
----------------------------------------------------------------------
Try attached patch
----------------------------------------------------------------------
vda - 07-17-08 02:16
----------------------------------------------------------------------
Careful with _and_die, ash uses printf_main directly
Issue History
Date Modified Username Field Change
======================================================================
07-16-08 17:32 cristic New Issue
07-16-08 17:32 cristic Status new => assigned
07-16-08 17:32 cristic Assigned To => BusyBox
07-16-08 17:32 cristic Issue Monitored: cristic
07-17-08 01:02 bernhardf Note Added: 0009544
07-17-08 02:15 vda File Added: printf.diff
07-17-08 02:16 vda Note Added: 0009574
07-17-08 02:16 vda Note Added: 0009584
======================================================================
More information about the busybox-cvs
mailing list