'[BusyBox] bug#1270: busybox vi applet buffer overrun'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       busybox
Subject:    [BusyBox] bug#1270: busybox vi applet buffer overrun
From:       Jouni Malinen <jkmaline () cc ! hut ! fi>
Date:       2002-09-25 12:16:06
[Download RAW message or body]

Package: busybox
Version: 0.60.4
Severity: normal

Busybox vi applet uses a constant length buffer last_modifying_cmd
(BUFSIZ bytes), but does not check for buffer overruns when adding
characters (e.g., in insert mode) to this buffer in get_one_char(). This
will overwrite something when more than BUFSIZ characters is added in  
one insert command. For example, on ppc-linux and uClibc file name was 
overwritten when 256 bytes was added in one insert command. After this,
file saves failed.

Attached patch checks for buffer overruns and refuses to write over the
buffer (a warning is displayed on status line). This is a workaround 
that prevents odd error cases, but 'dot' command does not get all the
data because of the constant size buffer. The real fix would be to
dynamically enlarge the buffer, but I'm not sure whether it would really
be needed in busybox.. The patch is for 0.60.4, but it seemed to apply  
also for current development version (although, I did not test this with
devel version).

In addition, there seems to other buffer overruns in vi applet, but this
was the one that has caused most problems for me. For example, another  
problem occurred when adding a line with more than about 256 characters.

-- 
Jouni Malinen                                            PGP id EFC895FA

["busybox-0.60.4-vi-buffer_overrun.patch" (text/plain)]

--- vi.c.orig	Wed Sep 25 20:47:19 2002
+++ vi.c	Wed Sep 25 21:07:27 2002
@@ -3435,8 +3435,13 @@
 		// adding STDIN chars to q
 		c = readit();	// get the users input
 		if (last_modifying_cmd != 0) {
-			// add new char to q
-			last_modifying_cmd[strlen((char *) last_modifying_cmd)] = c;
+			int len = strlen((char *) last_modifying_cmd);
+			if (len + 1 >= BUFSIZ) {
+				psbs("last_modifying_cmd overrun");
+			} else {
+				// add new char to q
+				last_modifying_cmd[len] = c;
+			}
 		}
 	}
 #else							/* BB_FEATURE_VI_DOT_CMD */


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic