BusyBox version 1.29.2 (though some of these may exist in prior
versions) has a few more buffer overflow bugs:
(1) procps/powertop.c:173, 'buf' [1] (192 bytes) is too small:
sprintf(buf, "%s/%s/power", "/proc/acpi/processor", d->d_name);
(struct dirent)->d_name is 256 bytes [2], plus the format
string brings it up to at least 283 bytes (exceeding 192).
(2) procps/smemcap.c:54, 'header.checksum' [3] (8 bytes)
The format stringĀ [4] can be between 7 and 12 bytes, which
may exceed the 8-byte buffer.
(3) miscutils/i2c_tools.c:1118-1208
Multiple 'printf'-family functions may overflow their buffer
in this function [5].
(4) libbb/copy_file.c:375, variable used after freed [6].
(5) libbb/unicode.c:1124, dereference NULL pointer possible [7].
ZV
[1]: https://git.busybox.net
/busybox/tree/procps/powertop.c?h=1_29_2#n173
[2]: http://man7.org/linux/man-pages/man3/readdir.3.html
[3]: https://git.busybox.net
/busybox/tree/include/bb_archive.h?h=1_29_2#n151
[4]: https://git.busybox.net
/busybox/tree/procps/smemcap.c?h=1_29_2#n54
[5]: https://git.busybox.net
/busybox/tree/miscutils/i2c_tools.c?h=1_29_2#n1118
[6]: https://git.busybox.net
/busybox/tree/libbb/copy_file.c?h=1_29_2#n375
[7]: https://git.busybox.net
/busybox/tree/libbb/unicode.c?h=1_29_2#n1124
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
