[BusyBox] [PROPOSED FIX] tar and od segfault fix.

Geoffrey Lee glee at bluesat.unsw.edu.au
Tue Nov 5 19:09:03 UTC 2002


Hi all,


Just a quick note that tar and od will segfault under certain conditions.

Namely, when tar is given without arguments, it will segfault.  This is because
argc is not checked before dereferencing the argv argument vector.

Also, od will segfault when it is not given arguments, like this,

od

or when used like this:

cat /bin/ls | od -x

Again, this is due to incorrect dereferencing.  This happens in odoffset,
in this following check:

        if (*p != '+' && (argc < 2 ||
            (!isdigit(p[0]) && (p[0] != 'x' || !ishexdigit(p[1])))))
                return;

Following patch appears to fix the problem.

Note that we do not check for argc < 2 then print usage message for od,
because when run with no arguments, od should give default behavior and listen
on stdin, not print a help message.

Please CC me.  I'm off list.  Thanks!


	-- G.

-- 
char *p = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";


-------------- next part --------------
diff -urN busybox.orig/archival/tar.c busybox/archival/tar.c
--- busybox.orig/archival/tar.c	Tue Nov  5 13:56:52 2002
+++ busybox/archival/tar.c	Wed Nov  6 12:43:44 2002
@@ -610,6 +610,9 @@
 #ifdef CONFIG_FEATURE_TAR_CREATE
 	unsigned char tar_create = FALSE;
 #endif
+	if (argc < 2) {
+		show_usage();
+	}
 
 	/* Prepend '-' to the first argument if required */
 	if (argv[1][0] != '-') {
@@ -617,10 +620,6 @@
 		tmp[0] = '-';
 		strcpy(tmp + 1, argv[1]);
 		argv[1] = tmp;
-	}
-
-	if (argc < 2) {
-		show_usage();
 	}
 
 	/* Initialise default values */
diff -urN busybox.orig/textutils/od.c busybox/textutils/od.c
--- busybox.orig/textutils/od.c	Mon Jun 24 08:25:22 2002
+++ busybox/textutils/od.c	Wed Nov  6 13:02:40 2002
@@ -56,6 +56,12 @@
 	 * We assumes it's a file if the offset is bad.
 	 */
 	p = **argvp;
+
+	if (!p) {
+		/* hey someone is probably piping to us ... */
+		return;
+	}
+
 	if (*p != '+' && (argc < 2 ||
 	    (!isdigit(p[0]) && (p[0] != 'x' || !ishexdigit(p[1])))))
 		return;


More information about the busybox mailing list