Re: [PATCH] bugfix_busybox_init_message_buffer_overflow

Mon, 31 Aug 2015 04:34:35 -0700 

a few questions by my side:

* would it be possible to replace vsnprintf() with vasprintf() ?

why:
 msg[l] = '\0';
 msg[l++] = '\n';
you will overwrite the 0. (in the original its the other way around)

NTL maybe its more simple to send a \n instead of attaching it ?

re,
 wh


The other way around seems more logical.

Am 31.08.2015 19:55, schrieb [email protected]:
> From: chenjie <[email protected]>
> 
> The message function will lead to a buffer overflow.
>     The test case like this:
> #include <stdio.h>
> #include <string.h>
> #include <stdarg.h>
> #include <stdlib.h>
> void message(int where, const char *fmt, ...){
>         va_list arguments;
>         unsigned l;
>         char msg[128];
> 
>         msg[0] = '\r';
>         va_start(arguments, fmt);
>         l = 1 + vsnprintf(msg + 1, sizeof(msg) - 2, fmt, arguments);
>         if (l > sizeof(msg) - 1)
>                 l = sizeof(msg) - 1;
>         va_end(arguments);
> 
>         msg[l] = '\0';
>         msg[l++] = '\n';
>         printf("l is lenth %d\n",l);
>         msg[l] = '\0';
> }
> 
> 
> int main(){
>         char *arguments = "/usr/sbin/syslog-ng -f 
> /etc/syslog-ng/syslog-ng.conf -p /var/run/syslogd.pid -F";
>         message(1, "process '%s' (pid 1234) exited. "
>                         "Scheduling for restart.",
>                         arguments);
> }
> 
>  we can see msg[128]='\0' but this is wrong.The arguments 
> which we can find in the /etc/inittab.
> 
> Signed-off-by: Chen Jie <[email protected]>
> ---
>  init/init.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/init/init.c b/init/init.c
> index b2fe856..b8f2e73 100644
> --- a/init/init.c
> +++ b/init/init.c
> @@ -221,9 +221,9 @@ static void message(int where, const char *fmt, ...)
>  
>       msg[0] = '\r';
>       va_start(arguments, fmt);
> -     l = 1 + vsnprintf(msg + 1, sizeof(msg) - 2, fmt, arguments);
> -     if (l > sizeof(msg) - 2)
> -             l = sizeof(msg) - 2;
> +     l = 1 + vsnprintf(msg + 1, sizeof(msg) - 3, fmt, arguments);
> +     if (l > sizeof(msg) - 3)
> +             l = sizeof(msg) - 3;
>       va_end(arguments);
>  
>  #if ENABLE_FEATURE_INIT_SYSLOG
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox

Reply via email to