----- "Denys Vlasenko" <[EMAIL PROTECTED]> wrote: > On Friday 22 August 2008 06:26, Cristian Cadar wrote: > > http://bugs.busybox.net/view.php?id=4684 > > > > Test cases: > > <full-path>/linux32 - > > <full-path>/linux64 - > > ./setarch "" "" > > > > 15: int setarch_main(int argc UNUSED_PARAM, char **argv) > > { > > int pers = -1; > > ... > > retry: > > 25: if (argv[0][5] == '6') /* linux64 */ > > pers = PER_LINUX; > > 27: else if (argv[0][5] == '3') /* linux32 */ > > pers = PER_LINUX32; > > 29: else if (pers == -1 && argv[1] != NULL) { > > pers = PER_LINUX32; > > 31: ++argv; > > goto retry; > > } > > > > Consider <full-path>/linux32: one of the root problems is that > argv[0] > > can be the full path to the program, so testing argv[0][5] is not > always > > meaningful. > > > > When <full-path>/linux32 is called, the test on setarch.c:25 fails, > as > > does the one on line 27. The one on line 29 succeeds, so argv is > > incremented, and execution jumps back to line 25. Now argv[0] is > "-", > > so testing argv[0][5] causes a buffer overflow. The cases for > linux64 > > and setarch are similar. > > Please try attached patch.
Thanks, I tested it and didn't find any other memory errors. --Cristian _______________________________________________ busybox mailing list [email protected] http://busybox.net/cgi-bin/mailman/listinfo/busybox
