[PATCH] loginutils: fix OVERFLOW_UNDER_CHECK in getty.c

Anton Moryakov ant.v.moryakov at gmail.com
Thu Jan 30 10:29:04 UTC 2025 

Report of the static analyzer:
1. OVERFLOW_UNDER_CHECK Accessing an element of array 'ptr_to_globals->speeds' of size 10 at getty.c:165 (G.speeds[G.numspeed] = bcode(cp);)
can lead to a buffer overflow, since the index 'ptr_to_globals->numspeed' can have an out of range value 10, 
as indicated by a preceding conditional expression at getty.c:170.

2. OVERFLOW_UNDER_CHECK Accessing an element of array 'ptr_to_globals->speeds' of size 10 at getty.c:166 (if (G.speeds[G.numspeed] < 0))
can lead to a buffer overflow, since the index 'ptr_to_globals->numspeed' can have an out of range value 10,
as indicated by a preceding conditional expression at getty.c:170.

Corrections explained:
Fixed a potential vulnerability related to out-of-bounds access in the G.speeds array within the parse_speeds function. 
Previously, the check for exceeding the array size was performed after writing to the array, 
which could result in writing beyond the valid range (index 10 for an array of size 10).  

Changes:  

- The check if (G.numspeed >= MAX_SPEED) is now performed before writing to the array. If the number of speeds exceeds MAX_SPEED, the program terminates with an error.  
- G.numspeed is incremented only after a successful write operation, ensuring proper index management.  

These changes prevent potential buffer overflow issues and improve the overall safety of the code.

Triggers found by static analyzer Svace.

Signed-off-by: Anton Moryakov <ant.v.moryakov at gmail.com>

---
 loginutils/getty.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/loginutils/getty.c b/loginutils/getty.c
index 4581cc9f7..5c24d815f 100644
--- a/loginutils/getty.c
+++ b/loginutils/getty.c
@@ -162,13 +162,13 @@ static void parse_speeds(char *arg)
 	/* NB: at least one iteration is always done */
 	debug("entered parse_speeds\n");
 	while ((cp = strsep(&arg, ",")) != NULL) {
+		if (G.numspeed >= MAX_SPEED) 
+            bb_simple_error_msg_and_die("too many alternate speeds");
 		G.speeds[G.numspeed] = bcode(cp);
 		if (G.speeds[G.numspeed] < 0)
 			bb_error_msg_and_die("bad speed: %s", cp);
 		/* note: arg "0" turns into speed B0 */
 		G.numspeed++;
-		if (G.numspeed > MAX_SPEED)
-			bb_simple_error_msg_and_die("too many alternate speeds");
 	}
 	debug("exiting parse_speeds\n");
 }
-- 
2.30.2

More information about the busybox mailing list