[PATCH] bugfix_busybox_init_message_buffer_overflow

[chenjie6 at huawei.com]

From: chenjie <chenjie6 at huawei.com>

The message function will lead to a buffer overflow.
    The test case like this:
#include <stdio.h>
#include <string.h>
#include <stdarg.h>
#include <stdlib.h>
void message(int where, const char *fmt, ...){
        va_list arguments;
        unsigned l;
        char msg[128];

        msg[0] = '\r';
        va_start(arguments, fmt);
        l = 1 + vsnprintf(msg + 1, sizeof(msg) - 2, fmt, arguments);
        if (l > sizeof(msg) - 1)
                l = sizeof(msg) - 1;
        va_end(arguments);

        msg[l] = '\0';
        msg[l++] = '\n';
        printf("l is lenth %d\n",l);
        msg[l] = '\0';
}


int main(){
        char *arguments = "/usr/sbin/syslog-ng -f /etc/syslog-ng/syslog-ng.conf -p /var/run/syslogd.pid -F";
        message(1, "process '%s' (pid 1234) exited. "
                        "Scheduling for restart.",
                        arguments);
}

 we can see msg[128]='\0' but this is wrong.The arguments 
which we can find in the /etc/inittab.

Signed-off-by: Chen Jie <chenjie6 at huawei.com>
---
 init/init.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/init/init.c b/init/init.c
index b2fe856..b8f2e73 100644
--- a/init/init.c
+++ b/init/init.c
@@ -221,9 +221,9 @@ static void message(int where, const char *fmt, ...)
 
 	msg[0] = '\r';
 	va_start(arguments, fmt);
-	l = 1 + vsnprintf(msg + 1, sizeof(msg) - 2, fmt, arguments);
-	if (l > sizeof(msg) - 2)
-		l = sizeof(msg) - 2;
+	l = 1 + vsnprintf(msg + 1, sizeof(msg) - 3, fmt, arguments);
+	if (l > sizeof(msg) - 3)
+		l = sizeof(msg) - 3;
 	va_end(arguments);
 
 #if ENABLE_FEATURE_INIT_SYSLOG
-- 
1.8.0