Bug#33781: tiny-ls.c in busybox has buffer overruns
Package: boot-floppies
Version: 2.1.7
Hi,
I just found a bug that crashes the busybox package. It has lots of buffer
overrun possibilities, but this one is actually likely to occur under
"normal" (non-evil) use: the buffer it gives to readlink() is much too
small.
Here's a fix.
Have fun,
Avery
diff -u -r1.3 tiny-ls.c
--- tiny-ls.c 1998/11/09 04:07:39 1.3
+++ tiny-ls.c 1999/02/23 22:51:29
@@ -146,7 +146,7 @@
static void writenum(long val, short minwidth)
{
- char scratch[20];
+ char scratch[128];
char *p = scratch + sizeof(scratch);
short len = 0;
@@ -211,7 +211,7 @@
static void list_single(const char *name, struct stat *info)
{
- char scratch[20];
+ char scratch[PATH_MAX];
short len = strlen(name);
#ifdef FEATURE_FILETYPECHAR
char append = append_char(info->st_mode);
Reply to: