[BusyBox] bug report (?)

Vladimir N. Oleynik dzo at simtreas.ru
Fri Jun 7 03:59:04 UTC 2002


Gerardo and Erik.

> - In file makedevs.c, function makedevs_main().
> 
>   makedevs.c:28         basedev = argv[1];
>                         (...)
>   makedevs.c:
>                         (...)
>   makedevs.c:55         strcpy(devname, basedev);
> 
>   If sbase == 0, a strcat() call later appends a number to devname.
>   Neither strcpy() nor strcat() check to see if there's room in devname
>   for the string they are copying into it. devname is only 255 bytes
>   long, so it doesn't take a lot to make a stack overflow on it. This is
>   exploitable very easily.

I have patched the makedevs.c for elimination of an additional code 
with your bugreport. 
Also it was possible to lower the size before your correction 
and reduce use of a stack on 260 bytes. ;)

   text    data     bss     dec     hex filename
    361       0       0     361     169 makedevs_new.o
    510       0       0     510     1fe makedevs_cvs.o
    416       0       0     416     1a0 makedevs_1.11.o


Agree?


--w
vodz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: last_patch42.gz
Type: application/octet-stream
Size: 859 bytes
Desc: not available
Url : http://lists.busybox.net/pipermail/busybox/attachments/20020607/792b1e0f/attachment.obj 


More information about the busybox mailing list