[BusyBox 0004594]: nmeter buffer overflow

bugs at busybox.net bugs at busybox.net
Thu Aug 14 21:58:08 UTC 2008


The following issue has been CLOSED 
====================================================================== 
http://busybox.net/bugs/view.php?id=4594 
====================================================================== 
Reported By:                cristic
Assigned To:                BusyBox
====================================================================== 
Project:                    BusyBox
Issue ID:                   4594
Category:                   Other
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     closed
Resolution:                 open
Fixed in Version:           
====================================================================== 
Date Submitted:             08-13-2008 17:57 PDT
Last Modified:              08-14-2008 14:58 PDT
====================================================================== 
Summary:                    nmeter buffer overflow
Description: 
Test case: ./nmeter -

The problem in in nmeter.c:

776:	char buf[32];
...

790:	if (open_read_close("version", buf, sizeof(buf)) > 0)
791:		is26 = (strstr(buf, " 2.4.")==NULL);

At line 790, up to 32 chars are read into buf.  If all 32 chars are
used, there's no space left for a terminating zero, and strstr will
read out-of-bounds memory.  The fix would be to either resize buf or
read only up to sizeof(buf)-1 char, and to terminate buf with a '\0'.

Thanks,
Cristian
====================================================================== 

---------------------------------------------------------------------- 
 vda - 08-14-08 14:58  
---------------------------------------------------------------------- 
fixed in rev 23078, thanks 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
08-13-08 17:57  cristic        New Issue                                    
08-13-08 17:57  cristic        Status                   new => assigned     
08-13-08 17:57  cristic        Assigned To               => BusyBox         
08-14-08 14:58  vda            Status                   assigned => closed  
08-14-08 14:58  vda            Note Added: 0010434                          
======================================================================




More information about the busybox-cvs mailing list