[BusyBox] [SECURITY] potential buffer overflows caused by my_getgrgid() and my_getpwuid

Tito farmatito at tiscali.it
Tue Aug 24 14:01:40 UTC 2004


Hi Erik,
Hi to all,
One more thought about this my_get* stuff:
maybe the correct behaviour should be:

A)	If the uid is not found return NULL.
	In this case the app already have long uid and can decide to convert
	it to a string if needed.
	The actual behaviour, writing to the buffer and return NULL is useless,
	in fact in all occurrences of my_getpwuid() in:
	file:/rep/busybox-1.00-rc3/coreutils/id.c
	file:/rep/busybox-1.00-rc3/coreutils/ls.c
	file:/rep/busybox-1.00-rc3/libbb/procps.c
	file:/rep/busybox-1.00-rc3/sysklogd/logger.c
	the return value is not checked.
	Only in:
	file:/rep/busybox-1.00-rc3/archival/tar.c
	file:/rep/busybox-1.00-rc3/coreutils/whoami.c
	the return value is checked , but this seems easy to fix.
 
B)	If the uid is found return a malloced buffer big enough to contain the full
	name   that can  be freed later if needed.

 char * my_getpwuid( long uid)
 {
 	struct passwd *myuser;
 	char *name=NULL;

 	if((myuser  = getpwuid(uid))!=NULL)
 	{
		name=(char *)xmalloc(strlen(myuser->pw_name) +1);		
 		sprintf(name,"%s", myuser->pw_name);
 	}
 	return name;
 }
 
I haven't looked about my_getgrgid yet.
 Ciao,
 Tito




More information about the busybox mailing list