http://bugs.busybox.net/view.php?id=4594
Test case: ./nmeter -
The problem in in nmeter.c:
776: char buf[32];
...
790: if (open_read_close("version", buf, sizeof(buf)) > 0)
791: is26 = (strstr(buf, " 2.4.")==NULL);
At line 790, up to 32 chars are read into buf. If all 32 chars are
used, there's no space left for a terminating zero, and strstr will
read out-of-bounds memory. The fix would be to either resize buf or
read only up to sizeof(buf)-1 char, and to terminate buf with a '\0'.
Thanks,
Cristian
_______________________________________________
busybox mailing list
[email protected]
http://busybox.net/cgi-bin/mailman/listinfo/busybox
