[BusyBox] bug report (?)
Vladimir N. Oleynik
dzo at simtreas.ru
Fri Jun 7 03:59:04 UTC 2002
Gerardo and Erik.
> - In file makedevs.c, function makedevs_main().
>
> makedevs.c:28 basedev = argv[1];
> (...)
> makedevs.c:
> (...)
> makedevs.c:55 strcpy(devname, basedev);
>
> If sbase == 0, a strcat() call later appends a number to devname.
> Neither strcpy() nor strcat() check to see if there's room in devname
> for the string they are copying into it. devname is only 255 bytes
> long, so it doesn't take a lot to make a stack overflow on it. This is
> exploitable very easily.
I have patched the makedevs.c for elimination of an additional code
with your bugreport.
Also it was possible to lower the size before your correction
and reduce use of a stack on 260 bytes. ;)
text data bss dec hex filename
361 0 0 361 169 makedevs_new.o
510 0 0 510 1fe makedevs_cvs.o
416 0 0 416 1a0 makedevs_1.11.o
Agree?
--w
vodz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: last_patch42.gz
Type: application/octet-stream
Size: 859 bytes
Desc: not available
Url : http://lists.busybox.net/pipermail/busybox/attachments/20020607/792b1e0f/attachment.obj
More information about the busybox
mailing list