[BusyBox] patch to login, dmesg and obscure
Erik Andersen
andersen at codepoet.org
Wed Jul 30 07:07:52 UTC 2003
On Mon Jul 28, 2003 at 03:55:32PM +0200, Ronny L Nilsson wrote:
>
> Hi
> I've discovered some bugs in the BusyBox unstable branch and since it doesn't
> seem to fixed in the 1.0.0-pre1 release I created a patch with my changes.
> Description below:
>
>
> * libbb/obscure.c:password_check()
> There was a buffer overflow bug which cased passwd command to segfault when
> invoked by any other than the superuser.
I'm not seeing it. I don't see the crash, and in looking
at your patch, I'm not seeing it fix any buffer overflows...
> * loginutils/login.c:
> The login process should always timeout if user don't login sucessfully within
> reasonable time. Otherwise we're sensetive to a DOS attack by simply doing a
> bunch of simultaneous telnet connections (deploys all availible TTY's).
>
> This patch make login.c terminate the connection after "TIMEOUT" seconds.
This looks ok. Applied.
> * util-linux/dmesg.c:
> If BusyBox was compiled with -DCONFIG_FEATURE_CLEAN_UP dmesg command segfaults
> if invoked with the "-n" option. (Due to a free() of an uninitialized
> pointer).
Applied with an ifdef, per vodz' suggestion,
-Erik
--
Erik B. Andersen http://codepoet-consulting.com/
--This message was written using 73% post-consumer electrons--
More information about the busybox
mailing list