[BusyBox] Memory corruption in ln

Pavel Roskin proski at gnu.org
Wed Jun 21 23:31:50 UTC 2000


Hello, Erik!

I hope it's not too late.
Our "ln" corrupts memory in the most common cases.

If "-n" is not specified "ln" tries to dereference the link for the
destination. If the destination is not a link (e.g. it doesn't exist) the
function readlink() returns -1. Then following is executed:

srcName[-1] = '\0';

This corrupts the memory! At least on some platforms it can cause hard to
debug problems.

On another hand, srcName is never used after being filled with data. This
means that "-n" doesn't work at all.

I tried to fix "-n", but it is not trivial. Basically, linking to
directories needs to be fixed, but it requires a lot of new code (you
cannot link file to dir, you should link file to dir/file)

If it's not too late, I'd like to disable "-n" and the corresponding code
for the 0.44 release. Please note that the memory corruption occurs when
"-n" is not specified!

If you are going to release 0.44 today please apply the patch below.

Regards,
Pavel Roskin

===============================
diff -u -d -r1.18 ln.c
--- ln.c	2000/06/21 22:53:23	1.18
+++ ln.c	2000/06/21 23:28:51
@@ -40,8 +40,10 @@
 	"\t-s\tmake symbolic links instead of hard links\n"
 
 	"\t-f\tremove existing destination files\n"
+#if 0
 	"\t-n\tno dereference symlinks - treat like normal file\n"
 #endif
+#endif
 	;
 
 static int symlinkFlag = FALSE;
@@ -103,14 +105,18 @@
 	}
 
 	while (argc-- >= 2) {
+#if 0
 		char srcName[BUFSIZ + 1];
-		int nChars, status;
+		int nChars;
+#endif
+		int status;
 
 		if (strlen(*argv) > BUFSIZ) {
 			fprintf(stderr, name_too_long, "ln");
 			exit FALSE;
 		}
 
+#if 0
 		if (followLinks == FALSE) {
 			strcpy(srcName, *argv);
 		} else {
@@ -119,6 +125,7 @@
 			nChars = readlink(*argv, srcName, BUFSIZ);
 			srcName[nChars] = '\0';
 		}
+#endif
 
 		if (removeoldFlag == TRUE) {
 			status = (unlink(linkName) && errno != ENOENT);
===============================







More information about the busybox mailing list