Nice short fix. Should be fine because argv is guaranteed to be terminated by a null pointer.
Cristian On Wed, 2008-08-20 at 02:17 +0200, Denys Vlasenko wrote: > On Tuesday 19 August 2008 22:21, Cristian Cadar wrote: > > http://bugs.busybox.net/view.php?id=4664 > > > > ./ping6 - > > accesses invalid memory > > > > First, it calls ping6_main(argc=2, argv={"ping6", "-", 0}): > > > > int ping6_main(int argc, char **argv) > > { > > argv[0] = (char*)"-6"; > > return ping_main(argc + 1, argv - 1); > > } > > > > ping_main then calls getopt32(argv, ...) which illegally dereferences > > argv[0], that is, the old argv[-1], on line getopt32.c:347: > > > > 346: argc = 0; > > 347: while (argv[argc]) > > 348: argc++; > > Try this fix: > > /* skip 0: some applets cheat: they do not actually HAVE argv[0] */ > argc = 1; > while (argv[argc]) > argc++; > > -- > vda _______________________________________________ busybox mailing list [email protected] http://busybox.net/cgi-bin/mailman/listinfo/busybox
