From: chenjie <chenj...@huawei.com> The message function will lead to a buffer overflow. The test case like this: #include <stdio.h> #include <string.h> #include <stdarg.h> #include <stdlib.h> void message(int where, const char *fmt, ...){ va_list arguments; unsigned l; char msg[128];
msg[0] = '\r'; va_start(arguments, fmt); l = 1 + vsnprintf(msg + 1, sizeof(msg) - 2, fmt, arguments); if (l > sizeof(msg) - 1) l = sizeof(msg) - 1; va_end(arguments); msg[l] = '\0'; msg[l++] = '\n'; printf("l is lenth %d\n",l); msg[l] = '\0'; } int main(){ char *arguments = "/usr/sbin/syslog-ng -f /etc/syslog-ng/syslog-ng.conf -p /var/run/syslogd.pid -F"; message(1, "process '%s' (pid 1234) exited. " "Scheduling for restart.", arguments); } we can see msg[128]='\0' but this is wrong.The arguments which we can find in the /etc/inittab. Signed-off-by: Chen Jie <chenj...@huawei.com> --- init/init.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/init/init.c b/init/init.c index b2fe856..b8f2e73 100644 --- a/init/init.c +++ b/init/init.c @@ -221,9 +221,9 @@ static void message(int where, const char *fmt, ...) msg[0] = '\r'; va_start(arguments, fmt); - l = 1 + vsnprintf(msg + 1, sizeof(msg) - 2, fmt, arguments); - if (l > sizeof(msg) - 2) - l = sizeof(msg) - 2; + l = 1 + vsnprintf(msg + 1, sizeof(msg) - 3, fmt, arguments); + if (l > sizeof(msg) - 3) + l = sizeof(msg) - 3; va_end(arguments); #if ENABLE_FEATURE_INIT_SYSLOG -- 1.8.0 _______________________________________________ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox