[BusyBox] bug report (?)
Vladimir N. Oleynik
dzo at simtreas.ru
Thu Jun 13 08:18:03 UTC 2002
Gerardo,
> - In file mount.c, function mount_main(). The buffer string_flags_buff can
> be overflown very easily through parse_mount_options() just by sending
> a very long option name, or simply too many options, through the -o
> command line argument.
> There's no single line responsible for the flaw. The whole parse_mount_options
> ()
> was thought supposing that there was room enough in the buffer strflags
> for whatever might be given as an option. The problem is that whatever
> is given in the command line is passed to parse_argument_options(),
> allowing anyone willing to do it to overflow the stack and execute
> whatever code s/he wants.
>
> This is exploitable.
>
> BTW, there seems to be another error in function parse_mount_options(),
> but it's one of those errors that incredibly enough, end up up doing
> what they were INTENDED to to but not THE WAY they were supposed to do it.
>
> mount.c:218 if (*strflags && strflags != '\0' && gotone == false) {
>
> I'm not sure, but I think the intention was to check if strflags was
> NULL and then to see if there was some text in it. Instead, it checks
> if there's a char different than 0 in the address pointed by strflags,
> and then compares the pointer strflags with '\0'. It'll work as long as
> strflags is not NULL... fun stuff :)
;)
Look last patch for the "mount".
I remove exploitable and optimize by size.
Also, I removed your founded mistake in 218 line. You right.
Also, I removed VERY old two warnings and one exported name.
$ size mount_old.o mount.o
text data bss dec hex filename
2853 4 0 2857 b29 mount_old.o
2846 4 0 2850 b22 mount.o
--w
vodz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: last_patch46.gz
Type: application/octet-stream
Size: 1459 bytes
Desc: not available
Url : http://lists.busybox.net/pipermail/busybox/attachments/20020613/d18b7db0/attachment.obj
More information about the busybox
mailing list