Since commit 2f3f26ea1ec581cd24a0778323eb0844f03fd6a3, 'ulimit'
has included a loop over each item in the char array 'map', and
also attempted to access past the last element:
char map[] = { /* ... */ };
int i;
for (i = 0; i < sizeof(map); i++) {
// ...
}
if (prlimit(TT.P, map[i], &rr, 0)) perror_exit(0);
^
out-of-bounds
What is the intended behavior?
And, since commit 2b999e614c48f084f6a14d589d434904aec6d491 in
'lib/linestack.c' there's been an 8-byte buffer 'buf' in the
'crunch_escape' function, where the 'sprintf' could potentially
overflow this buffer by 3 or 4 bytes (the value of 'wc').
Last, a very minor patch is attached for 'net/netstat.c'
ensuring that the file handle is closed before an early return
from the 'show_ip' routine.
ZVFrom 4295e21d010781edb7980e877bddf7789d473927 Mon Sep 17 00:00:00 2001
From: Zach van Rijn <[email protected]>
Date: Sun, 2 Sep 2018 00:12:05 +0000
Subject: [PATCH] Close file handle before return on error.
---
toys/net/netstat.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/toys/net/netstat.c b/toys/net/netstat.c
index 7d67248..e22db24 100644
--- a/toys/net/netstat.c
+++ b/toys/net/netstat.c
@@ -115,7 +115,10 @@ static void show_ip(char *fname)
return;
}
- if(!fgets(toybuf, sizeof(toybuf), fp)) return; //skip header.
+ if(!fgets(toybuf, sizeof(toybuf), fp)) {
+ fclose(fp);
+ return; //skip header.
+ }
while (fgets(toybuf, sizeof(toybuf), fp)) {
char lip[256], rip[256];
--
2.11.0
_______________________________________________
Toybox mailing list
[email protected]
http://lists.landley.net/listinfo.cgi/toybox-landley.net
