[PATCH] bugfix_busybox_init_message_buffer_overflow
chenjie6 at huawei.com
chenjie6 at huawei.com
Mon Aug 31 17:55:21 UTC 2015
From: chenjie <chenjie6 at huawei.com>
The message function will lead to a buffer overflow.
The test case like this:
#include <stdio.h>
#include <string.h>
#include <stdarg.h>
#include <stdlib.h>
void message(int where, const char *fmt, ...){
va_list arguments;
unsigned l;
char msg[128];
msg[0] = '\r';
va_start(arguments, fmt);
l = 1 + vsnprintf(msg + 1, sizeof(msg) - 2, fmt, arguments);
if (l > sizeof(msg) - 1)
l = sizeof(msg) - 1;
va_end(arguments);
msg[l] = '\0';
msg[l++] = '\n';
printf("l is lenth %d\n",l);
msg[l] = '\0';
}
int main(){
char *arguments = "/usr/sbin/syslog-ng -f /etc/syslog-ng/syslog-ng.conf -p /var/run/syslogd.pid -F";
message(1, "process '%s' (pid 1234) exited. "
"Scheduling for restart.",
arguments);
}
we can see msg[128]='\0' but this is wrong.The arguments
which we can find in the /etc/inittab.
Signed-off-by: Chen Jie <chenjie6 at huawei.com>
---
init/init.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/init/init.c b/init/init.c
index b2fe856..b8f2e73 100644
--- a/init/init.c
+++ b/init/init.c
@@ -221,9 +221,9 @@ static void message(int where, const char *fmt, ...)
msg[0] = '\r';
va_start(arguments, fmt);
- l = 1 + vsnprintf(msg + 1, sizeof(msg) - 2, fmt, arguments);
- if (l > sizeof(msg) - 2)
- l = sizeof(msg) - 2;
+ l = 1 + vsnprintf(msg + 1, sizeof(msg) - 3, fmt, arguments);
+ if (l > sizeof(msg) - 3)
+ l = sizeof(msg) - 3;
va_end(arguments);
#if ENABLE_FEATURE_INIT_SYSLOG
--
1.8.0
More information about the busybox
mailing list