[PATCH] loginutils: fix OVERFLOW_UNDER_CHECK in getty.c

Thu, 30 Jan 2025 02:30:24 -0800 

Report of the static analyzer:
1. OVERFLOW_UNDER_CHECK Accessing an element of array 'ptr_to_globals->speeds' 
of size 10 at getty.c:165 (G.speeds[G.numspeed] = bcode(cp);)
can lead to a buffer overflow, since the index 'ptr_to_globals->numspeed' can 
have an out of range value 10, 
as indicated by a preceding conditional expression at getty.c:170.

2. OVERFLOW_UNDER_CHECK Accessing an element of array 'ptr_to_globals->speeds' 
of size 10 at getty.c:166 (if (G.speeds[G.numspeed] < 0))
can lead to a buffer overflow, since the index 'ptr_to_globals->numspeed' can 
have an out of range value 10,
as indicated by a preceding conditional expression at getty.c:170.

Corrections explained:
Fixed a potential vulnerability related to out-of-bounds access in the G.speeds 
array within the parse_speeds function. 
Previously, the check for exceeding the array size was performed after writing 
to the array, 
which could result in writing beyond the valid range (index 10 for an array of 
size 10).  

Changes:  

- The check if (G.numspeed >= MAX_SPEED) is now performed before writing to the 
array. If the number of speeds exceeds MAX_SPEED, the program terminates with 
an error.  
- G.numspeed is incremented only after a successful write operation, ensuring 
proper index management.  

These changes prevent potential buffer overflow issues and improve the overall 
safety of the code.

Triggers found by static analyzer Svace.

Signed-off-by: Anton Moryakov <ant.v.moryakov at gmail.com>

---
 loginutils/getty.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/loginutils/getty.c b/loginutils/getty.c
index 4581cc9f7..5c24d815f 100644
--- a/loginutils/getty.c
+++ b/loginutils/getty.c
@@ -162,13 +162,13 @@ static void parse_speeds(char *arg)
        /* NB: at least one iteration is always done */
        debug("entered parse_speeds\n");
        while ((cp = strsep(&arg, ",")) != NULL) {
+               if (G.numspeed >= MAX_SPEED) 
+            bb_simple_error_msg_and_die("too many alternate speeds");
                G.speeds[G.numspeed] = bcode(cp);
                if (G.speeds[G.numspeed] < 0)
                        bb_error_msg_and_die("bad speed: %s", cp);
                /* note: arg "0" turns into speed B0 */
                G.numspeed++;
-               if (G.numspeed > MAX_SPEED)
-                       bb_simple_error_msg_and_die("too many alternate 
speeds");
        }
        debug("exiting parse_speeds\n");
 }
-- 
2.30.2

_______________________________________________
busybox mailing list
[email protected]
https://lists.busybox.net/mailman/listinfo/busybox

Reply via email to