0004664: ping6 accesses invalid memory

Denys Vlasenko vda.linux at googlemail.com
Wed Aug 20 00:17:08 UTC 2008


On Tuesday 19 August 2008 22:21, Cristian Cadar wrote:
> http://bugs.busybox.net/view.php?id=4664
> 
> ./ping6 -
> accesses invalid memory
> 
> First, it calls ping6_main(argc=2, argv={"ping6", "-", 0}):
> 
> int ping6_main(int argc, char **argv)
> {
>     argv[0] = (char*)"-6";
>     return ping_main(argc + 1, argv - 1);
> }
> 
> ping_main then calls getopt32(argv, ...) which illegally dereferences
> argv[0], that is, the old argv[-1], on line getopt32.c:347:
> 
> 346: argc = 0;
> 347: while (argv[argc])
> 348: argc++;

Try this fix:

        /* skip 0: some applets cheat: they do not actually HAVE argv[0] */
        argc = 1;
        while (argv[argc])
                argc++;

--
vda



More information about the busybox mailing list