[BusyBox] bug report (?)

Vladimir N. Oleynik dzo at simtreas.ru
Thu Jun 13 08:18:03 UTC 2002


Gerardo,

> - In file mount.c, function mount_main(). The buffer string_flags_buff can
>   be overflown very easily through parse_mount_options() just by sending
>   a very long option name, or simply too many options, through the -o
>   command line argument.
>   There's no single line responsible for the flaw. The whole parse_mount_options
> ()
>   was thought supposing that there was room enough in the buffer strflags
>   for whatever might be given as an option. The problem is that whatever
>   is given in the command line is passed to parse_argument_options(),
>   allowing anyone willing to do it to overflow the stack and execute
>   whatever code s/he wants.
> 
>   This is exploitable.
> 
>   BTW, there seems to be another error in function parse_mount_options(),
>   but it's one of those errors that incredibly enough, end up up doing
>   what they were INTENDED to to but not THE WAY they were supposed to do it.
> 
>   mount.c:218           if (*strflags && strflags != '\0' && gotone == false) {
> 
>   I'm not sure, but I think the intention was to check if strflags was
>   NULL and then to see if there was some text in it. Instead, it checks
>   if there's a char different than 0 in the address pointed by strflags,
>   and then compares the pointer strflags with '\0'. It'll work as long as
>   strflags is not NULL... fun stuff :)

;)

Look last patch for the "mount".
I remove exploitable and optimize by size.
Also, I removed your founded mistake in 218 line. You right.
Also, I removed VERY old two warnings and one exported name.

$ size mount_old.o mount.o
   text    data     bss     dec     hex filename
   2853       4       0    2857     b29 mount_old.o
   2846       4       0    2850     b22 mount.o
 

--w
vodz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: last_patch46.gz
Type: application/octet-stream
Size: 1459 bytes
Desc: not available
Url : http://lists.busybox.net/pipermail/busybox/attachments/20020613/d18b7db0/attachment.obj 


More information about the busybox mailing list