[BusyBox] [SECURITY] potential buffer overflows caused by my_getgrgid() and my_getpwuid
Tito
farmatito at tiscali.it
Tue Aug 24 14:01:40 UTC 2004
Hi Erik,
Hi to all,
One more thought about this my_get* stuff:
maybe the correct behaviour should be:
A) If the uid is not found return NULL.
In this case the app already have long uid and can decide to convert
it to a string if needed.
The actual behaviour, writing to the buffer and return NULL is useless,
in fact in all occurrences of my_getpwuid() in:
file:/rep/busybox-1.00-rc3/coreutils/id.c
file:/rep/busybox-1.00-rc3/coreutils/ls.c
file:/rep/busybox-1.00-rc3/libbb/procps.c
file:/rep/busybox-1.00-rc3/sysklogd/logger.c
the return value is not checked.
Only in:
file:/rep/busybox-1.00-rc3/archival/tar.c
file:/rep/busybox-1.00-rc3/coreutils/whoami.c
the return value is checked , but this seems easy to fix.
B) If the uid is found return a malloced buffer big enough to contain the full
name that can be freed later if needed.
char * my_getpwuid( long uid)
{
struct passwd *myuser;
char *name=NULL;
if((myuser = getpwuid(uid))!=NULL)
{
name=(char *)xmalloc(strlen(myuser->pw_name) +1);
sprintf(name,"%s", myuser->pw_name);
}
return name;
}
I haven't looked about my_getgrgid yet.
Ciao,
Tito
More information about the busybox
mailing list