[Bug 309] mdev -s should not abort on first error
bugzilla at busybox.net
bugzilla at busybox.net
Mon May 4 07:00:42 UTC 2009
https://bugs.busybox.net/show_bug.cgi?id=309
--- Comment #4 from Michael Tokarev <mjt+busybox at corpit.ru> 2009-05-04 07:00:41 UTC ---
Ok, now that's.. interesting.
The patch triggers an old bug in mdev. Here it is (only relevant parts are
shown):
static void make_device(char *path, int delete) {
char *dev_maj_min = path + strlen(path);
if (!delete) {
strcpy(dev_maj_min, "/dev");
len = open_read_close(path, dev_maj_min + 1, 64);
Obviously it is writing past the `path' string, assuming it is in some
large-enough buffer. And it is when called from fileAction(), but not when
called from mdev_main(). Before the change, make_device() were passed a
scratch buffer. Now we're passing value returned by xstrdup() which does not
have anything past the string, and the above code corrupts malloc() data
structures.
It looks like we don't need the strdup() since make_device(), while clobbers
something past the string end, does not touch the string itself. So the second
hunk of the patch isn't needed.
Alternatively we can call load_firmware() before make_device().
--
Configure bugmail: https://bugs.busybox.net/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list