[BusyBox] patch to login, dmesg and obscure
Ronny L Nilsson
bb at arbetsmyra.dyndns.org
Mon Jul 28 15:20:46 UTC 2003
> > * libbb/obscure.c:password_check()
> > There was a buffer overflow bug which cased passwd command to
> > segfault when invoked by any other than the superuser.
>
> from libbb/obscure.c:password_check()
> newmono = str_lower(bb_xstrdup(newval));
> lenwrap = strlen(old) * 2 + 1;
> wrapped = (char *) xmalloc(lenwrap);
> wrapped have size(old) * 2 +1. This can`t overflow for rotate check.
>
Are you realy sure?? Becuse some lines down ther's a
strcat(wrapped, wrapped)
instruction where the actual overflow occure.
This is an excerpt from STRCAT(3) manpage:
DESCRIPTION
The strcat() function appends the src string to
the dest string over writing the `\0' character at
the end of dest, and then adds a terminating
`\0' character. The strings may not overlap,
and the dest string must have enough space for
the result.
Which clearly says the used behaviour is illegal.
> > * util-linux/dmesg.c:
> But, CONFIG_FEATURE_CLEAN_UP is very not require.
>
> You must add
> #ifdef CONFIG_FEATURE_CLEAN_UP
> = NULL;
> #endif
> To your patch.
ok, I'll fix it.
/Ronny
More information about the busybox
mailing list