[git commit] whois: fix a possible out-of-bounds stack access
Denys Vlasenko
vda.linux at googlemail.com
Tue Sep 4 12:48:00 UTC 2018
commit: https://git.busybox.net/busybox/commit/?id=3d6f95ede6e98cd245cfbdc4c429a184f6c0d717
branch: https://git.busybox.net/busybox/commit/?id=refs/heads/master
If fgets() returns incomplete string, we replace NUL with
'\n', and then trim() runs on a non-NUL-terminated buffer.
Prevent that.
While at it, bump buffer from 1k to 2k.
function old new delta
query 519 524 +5
Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
---
networking/whois.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/networking/whois.c b/networking/whois.c
index f0ec86301..f3da32b4e 100644
--- a/networking/whois.c
+++ b/networking/whois.c
@@ -39,20 +39,26 @@ static char *query(const char *host, int port, const char *domain)
bool success;
char *redir = NULL;
const char *pfx = "";
- char linebuf[1024];
+ /* some .io domains reported to have very long strings in whois
+ * responses, 1k was not enough:
+ */
+ char linebuf[2 * 1024];
char *buf = NULL;
unsigned bufpos = 0;
again:
printf("[Querying %s:%d '%s%s']\n", host, port, pfx, domain);
fd = create_and_connect_stream_or_die(host, port);
- success = 0;
fdprintf(fd, "%s%s\r\n", pfx, domain);
fp = xfdopen_for_read(fd);
- while (fgets(linebuf, sizeof(linebuf), fp)) {
- unsigned len = strcspn(linebuf, "\r\n");
+ success = 0;
+ while (fgets(linebuf, sizeof(linebuf)-1, fp)) {
+ unsigned len;
+
+ len = strcspn(linebuf, "\r\n");
linebuf[len++] = '\n';
+ linebuf[len] = '\0';
buf = xrealloc(buf, bufpos + len + 1);
memcpy(buf + bufpos, linebuf, len);
More information about the busybox-cvs
mailing list