[BusyBox 0004184]: printf buffer overflow

bugs at busybox.net bugs at busybox.net
Thu Jul 17 00:32:42 UTC 2008


The following issue has been SUBMITTED. 
====================================================================== 
http://busybox.net/bugs/view.php?id=4184 
====================================================================== 
Reported By:                cristic
Assigned To:                BusyBox
====================================================================== 
Project:                    BusyBox
Issue ID:                   4184
Category:                   Other
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     assigned
====================================================================== 
Date Submitted:             07-16-2008 17:32 PDT
Last Modified:              07-16-2008 17:32 PDT
====================================================================== 
Summary:                    printf buffer overflow
Description: 
Hi, "printf %" leads to a buffer overflow, and prints random values from
the stack:

This should be rejected as in Coreutils:
$ printf %
./printf: %: invalid conversion specification

  The problem is that printf does not validate the format specifier.  One
possible fix would be to add a check along these lines this after line 201
in
printf.c:
                        direc_start = f++;
+                       if (*f == '\0') 
+                          fprintf(stderr, "invalid conversion
specification");
			direc_length = 1;
			field_width = precision = -1;
			if (*f == '%') {
				bb_putchar('%');
				break;
			}
Thanks,
Cristian
====================================================================== 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
07-16-08 17:32  cristic        New Issue                                    
07-16-08 17:32  cristic        Status                   new => assigned     
07-16-08 17:32  cristic        Assigned To               => BusyBox         
======================================================================




More information about the busybox-cvs mailing list