[PATCH] ping6: segfault on incorrect command line
Michael Abbott
michael at araneidae.co.uk
Thu Nov 19 12:47:05 UTC 2009
On Wed, 18 Nov 2009, Leonid Lisovskiy wrote:
> ping6 segfaults on incorrect command line in case of busybox linked
> against uClibc 0.9.30.1
> example:
>
> $ ping6 -Z google.com
> Segmentation fault
>
> Seems to be this happens due to uClibc don't initialize argv[-1] at
> all. Simple patch is below:
>
> Regards,
> Leonid
>
> --- a/networking/ping.c 2009-09-26 17:14:57.000000000 +0400
> +++ a/networking/ping.c 2009-11-18 20:39:19.000000000 +0300
> @@ -769,6 +769,7 @@ int ping_main(int argc UNUSED_PARAM, cha
> int ping6_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
> int ping6_main(int argc UNUSED_PARAM, char **argv)
> {
> + argv[-1] = argv[0];
> argv[0] = (char*)"-6";
> return ping_main(0 /* argc+1 - but it's unused anyway */,
> argv - 1);
Is argv[-1] even a valid address? Surely you're overwriting unknown
memory here, with entirely unpredictable consequences?
Or is this argv defined elsewhere to extend into negative offsets? If
you're saying it's come from uClibc I doubt it, in which case the bug has
to be passing argv-1 to ping_main.
More information about the busybox
mailing list