[PATCH] bugfix_busybox_init_message_buffer_overflow
chenjie
chenjie6 at huawei.com
Mon Aug 31 11:48:14 UTC 2015
Hello Xabier Oneca:
The test code just explain the code by a simple code.
It is not a busybox test case.
Original code will lead to msg[128],indeed.
On 2015/8/31 19:30, Xabier Oneca -- xOneca wrote:
> Hello Chenjie,
>
> Your test case does not match the previous code of message of the
> patch, and I think your patch is not necessary.
>
> Cheers,
>
> Xabier Oneca_,,_
>
> 2015-08-31 19:55 GMT+02:00 <chenjie6 at huawei.com>:
>> From: chenjie <chenjie6 at huawei.com>
>>
>> The message function will lead to a buffer overflow.
>> The test case like this:
>> #include <stdio.h>
>> #include <string.h>
>> #include <stdarg.h>
>> #include <stdlib.h>
>> void message(int where, const char *fmt, ...){
>> va_list arguments;
>> unsigned l;
>> char msg[128];
>>
>> msg[0] = '\r';
>> va_start(arguments, fmt);
>> l = 1 + vsnprintf(msg + 1, sizeof(msg) - 2, fmt, arguments);
>> if (l > sizeof(msg) - 1)
>> l = sizeof(msg) - 1;
>> va_end(arguments);
>>
>> msg[l] = '\0';
>> msg[l++] = '\n';
>> printf("l is lenth %d\n",l);
>> msg[l] = '\0';
>> }
>>
>>
>> int main(){
>> char *arguments = "/usr/sbin/syslog-ng -f /etc/syslog-ng/syslog-ng.conf -p /var/run/syslogd.pid -F";
>> message(1, "process '%s' (pid 1234) exited. "
>> "Scheduling for restart.",
>> arguments);
>> }
>>
>> we can see msg[128]='\0' but this is wrong.The arguments
>> which we can find in the /etc/inittab.
>>
>> Signed-off-by: Chen Jie <chenjie6 at huawei.com>
>> ---
>> init/init.c | 6 +++---
>> 1 file changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git a/init/init.c b/init/init.c
>> index b2fe856..b8f2e73 100644
>> --- a/init/init.c
>> +++ b/init/init.c
>> @@ -221,9 +221,9 @@ static void message(int where, const char *fmt, ...)
>>
>> msg[0] = '\r';
>> va_start(arguments, fmt);
>> - l = 1 + vsnprintf(msg + 1, sizeof(msg) - 2, fmt, arguments);
>> - if (l > sizeof(msg) - 2)
>> - l = sizeof(msg) - 2;
>> + l = 1 + vsnprintf(msg + 1, sizeof(msg) - 3, fmt, arguments);
>> + if (l > sizeof(msg) - 3)
>> + l = sizeof(msg) - 3;
>> va_end(arguments);
>>
>> #if ENABLE_FEATURE_INIT_SYSLOG
>> --
>> 1.8.0
>
> .
>
More information about the busybox
mailing list