0004594: nmeter buffer overflow
Cristian Cadar
cristic at stanford.edu
Thu Aug 14 01:26:12 UTC 2008
http://bugs.busybox.net/view.php?id=4594
Test case: ./nmeter -
The problem in in nmeter.c:
776: char buf[32];
...
790: if (open_read_close("version", buf, sizeof(buf)) > 0)
791: is26 = (strstr(buf, " 2.4.")==NULL);
At line 790, up to 32 chars are read into buf. If all 32 chars are
used, there's no space left for a terminating zero, and strstr will
read out-of-bounds memory. The fix would be to either resize buf or
read only up to sizeof(buf)-1 char, and to terminate buf with a '\0'.
Thanks,
Cristian
More information about the busybox
mailing list