[PATCH] bugfix_busybox_init_message_buffer_overflow

chenjie chenjie6 at huawei.com
Mon Aug 31 11:48:14 UTC 2015


Hello Xabier Oneca:

	The test code just explain the code by a simple code.
It is not a busybox test case.
	  Original code will lead to msg[128],indeed.



On 2015/8/31 19:30, Xabier Oneca -- xOneca wrote:
> Hello Chenjie,
> 
> Your test case does not match the previous code of message of the
> patch, and I think your patch is not necessary.
> 
> Cheers,
> 
> Xabier Oneca_,,_
> 
> 2015-08-31 19:55 GMT+02:00  <chenjie6 at huawei.com>:
>> From: chenjie <chenjie6 at huawei.com>
>>
>> The message function will lead to a buffer overflow.
>>     The test case like this:
>> #include <stdio.h>
>> #include <string.h>
>> #include <stdarg.h>
>> #include <stdlib.h>
>> void message(int where, const char *fmt, ...){
>>         va_list arguments;
>>         unsigned l;
>>         char msg[128];
>>
>>         msg[0] = '\r';
>>         va_start(arguments, fmt);
>>         l = 1 + vsnprintf(msg + 1, sizeof(msg) - 2, fmt, arguments);
>>         if (l > sizeof(msg) - 1)
>>                 l = sizeof(msg) - 1;
>>         va_end(arguments);
>>
>>         msg[l] = '\0';
>>         msg[l++] = '\n';
>>         printf("l is lenth %d\n",l);
>>         msg[l] = '\0';
>> }
>>
>>
>> int main(){
>>         char *arguments = "/usr/sbin/syslog-ng -f /etc/syslog-ng/syslog-ng.conf -p /var/run/syslogd.pid -F";
>>         message(1, "process '%s' (pid 1234) exited. "
>>                         "Scheduling for restart.",
>>                         arguments);
>> }
>>
>>  we can see msg[128]='\0' but this is wrong.The arguments
>> which we can find in the /etc/inittab.
>>
>> Signed-off-by: Chen Jie <chenjie6 at huawei.com>
>> ---
>>  init/init.c | 6 +++---
>>  1 file changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git a/init/init.c b/init/init.c
>> index b2fe856..b8f2e73 100644
>> --- a/init/init.c
>> +++ b/init/init.c
>> @@ -221,9 +221,9 @@ static void message(int where, const char *fmt, ...)
>>
>>         msg[0] = '\r';
>>         va_start(arguments, fmt);
>> -       l = 1 + vsnprintf(msg + 1, sizeof(msg) - 2, fmt, arguments);
>> -       if (l > sizeof(msg) - 2)
>> -               l = sizeof(msg) - 2;
>> +       l = 1 + vsnprintf(msg + 1, sizeof(msg) - 3, fmt, arguments);
>> +       if (l > sizeof(msg) - 3)
>> +               l = sizeof(msg) - 3;
>>         va_end(arguments);
>>
>>  #if ENABLE_FEATURE_INIT_SYSLOG
>> --
>> 1.8.0
> 
> .
> 




More information about the busybox mailing list