0004664: ping6 accesses invalid memory
Cristian Cadar
cristic at stanford.edu
Wed Aug 20 00:37:02 UTC 2008
Nice short fix. Should be fine because argv is guaranteed to be
terminated by a null pointer.
Cristian
On Wed, 2008-08-20 at 02:17 +0200, Denys Vlasenko wrote:
> On Tuesday 19 August 2008 22:21, Cristian Cadar wrote:
> > http://bugs.busybox.net/view.php?id=4664
> >
> > ./ping6 -
> > accesses invalid memory
> >
> > First, it calls ping6_main(argc=2, argv={"ping6", "-", 0}):
> >
> > int ping6_main(int argc, char **argv)
> > {
> > argv[0] = (char*)"-6";
> > return ping_main(argc + 1, argv - 1);
> > }
> >
> > ping_main then calls getopt32(argv, ...) which illegally dereferences
> > argv[0], that is, the old argv[-1], on line getopt32.c:347:
> >
> > 346: argc = 0;
> > 347: while (argv[argc])
> > 348: argc++;
>
> Try this fix:
>
> /* skip 0: some applets cheat: they do not actually HAVE argv[0] */
> argc = 1;
> while (argv[argc])
> argc++;
>
> --
> vda
More information about the busybox
mailing list