busybox bug report
Denys Vlasenko
vda.linux at googlemail.com
Tue Mar 3 11:54:20 UTC 2015
On Mon, Mar 2, 2015 at 11:50 PM, David Binderman <dcb314 at hotmail.com> wrote:
>> On Mon, Mar 2, 2015 at 10:21 PM, David Binderman <dcb314 at hotmail.com> wrote:
>>> networking/inetd.c:818:39: warning: loop exit may only be reached after undefined behavior [-Waggressive-loop-optimizations]
>>>
>>> while ((arg = token[6+argc]) != NULL && argc < MAXARGV)
>>
>> What's wrong with this code?
>
> It uses argc as an array index then sanity checks it.
> My suggestion sanity checks the array index *before* use.
Aha. token[] is "char *token[6+MAXARGV]" and we can read past it.
Thanks!
More information about the busybox
mailing list