Hello Chenjie, Your test case does not match the previous code of message of the patch, and I think your patch is not necessary.
Cheers, Xabier Oneca_,,_ 2015-08-31 19:55 GMT+02:00 <[email protected]>: > From: chenjie <[email protected]> > > The message function will lead to a buffer overflow. > The test case like this: > #include <stdio.h> > #include <string.h> > #include <stdarg.h> > #include <stdlib.h> > void message(int where, const char *fmt, ...){ > va_list arguments; > unsigned l; > char msg[128]; > > msg[0] = '\r'; > va_start(arguments, fmt); > l = 1 + vsnprintf(msg + 1, sizeof(msg) - 2, fmt, arguments); > if (l > sizeof(msg) - 1) > l = sizeof(msg) - 1; > va_end(arguments); > > msg[l] = '\0'; > msg[l++] = '\n'; > printf("l is lenth %d\n",l); > msg[l] = '\0'; > } > > > int main(){ > char *arguments = "/usr/sbin/syslog-ng -f > /etc/syslog-ng/syslog-ng.conf -p /var/run/syslogd.pid -F"; > message(1, "process '%s' (pid 1234) exited. " > "Scheduling for restart.", > arguments); > } > > we can see msg[128]='\0' but this is wrong.The arguments > which we can find in the /etc/inittab. > > Signed-off-by: Chen Jie <[email protected]> > --- > init/init.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/init/init.c b/init/init.c > index b2fe856..b8f2e73 100644 > --- a/init/init.c > +++ b/init/init.c > @@ -221,9 +221,9 @@ static void message(int where, const char *fmt, ...) > > msg[0] = '\r'; > va_start(arguments, fmt); > - l = 1 + vsnprintf(msg + 1, sizeof(msg) - 2, fmt, arguments); > - if (l > sizeof(msg) - 2) > - l = sizeof(msg) - 2; > + l = 1 + vsnprintf(msg + 1, sizeof(msg) - 3, fmt, arguments); > + if (l > sizeof(msg) - 3) > + l = sizeof(msg) - 3; > va_end(arguments); > > #if ENABLE_FEATURE_INIT_SYSLOG > -- > 1.8.0 _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
