[BusyBox 0004174]: handle_errors() buffer underflow
bugs at busybox.net
bugs at busybox.net
Wed Jul 16 23:11:52 UTC 2008
The following issue has been SUBMITTED.
======================================================================
http://busybox.net/bugs/view.php?id=4174
======================================================================
Reported By: cristic
Assigned To: BusyBox
======================================================================
Project: BusyBox
Issue ID: 4174
Category: Other
Reproducibility: always
Severity: minor
Priority: normal
Status: assigned
======================================================================
Date Submitted: 07-16-2008 16:11 PDT
Last Modified: 07-16-2008 16:11 PDT
======================================================================
Summary: handle_errors() buffer underflow
Description:
In handle_errors() (libbb/bb_strtonum.c), the line "if (endptr[-1] == '-')"
can lead to a buffer underflow, and the outcome of the branch will
usually
depend on uninitialized memory. Here is an example that triggers the
bug:
chmod a.b c
This leads to a call to bb_strtoul("a", NULL, 10), which calls
strtoul("a",
&endptr, 10), which will set endptr to point to the beginning of the
buffer
storing "a". Then endptr is passed to handle_errors() which is illegally
examining endptr[-1].
Looking at the code, I was confused about the comment on the "weird"
feature. Is that still needed? On my libc, calling strtol('-", &endptr,
10) sets endptr as expected to the beginning of the buffer storing "-", so
that particular if statement doesn't seem to be needed at all.
BTW, this bug can be hit by various other tools, here are some other
examples:
kill -l a
printf "% *" B
setuidgid a ""
Thanks,
Cristian
======================================================================
Issue History
Date Modified Username Field Change
======================================================================
07-16-08 16:11 cristic New Issue
07-16-08 16:11 cristic Status new => assigned
07-16-08 16:11 cristic Assigned To => BusyBox
======================================================================
More information about the busybox-cvs
mailing list