[prev in list] [next in list] [prev in thread] [next in thread] 

List:       busybox
Subject:    Re: Segfault in 'whois' for .IO domains, others?
From:       Denys Vlasenko <vda.linux () googlemail ! com>
Date:       2018-09-04 12:46:18
Message-ID: CAK1hOcNq6_rn+Mq_w_EBHTcikt2NAS=sSkJSQ5gZF289x7GERw () mail ! gmail ! com
[Download RAW message or body]

On Sat, Sep 1, 2018 at 11:27 PM Zach van Rijn <me@zv.io> wrote:
>
> I've encountered a segmentation fault in the 'whois' utility
> using BusyBox 1.28.4 (the default Alpine Linux 3.8) as packaged,
> _and_ as built from source with defconfig on the same system.
>
> This issue only appears to occur for .IO domains (out of .COM,
> .NET, .ORG, .EDU; others untested), and happens about 50% of the
> time (repeated querying is likely to reveal it).
>
> Quite simply, the buffer 'linebuf' declared here [1] overflows,
> and musl's '__stack_chk_fail' correctly faults. On a glibc-based
> system, I have not been able to reproduce the fault, however the
> overflow still occurs.

I see. How about this fix?

        while (fgets(linebuf, sizeof(linebuf)-1, fp)) {
                unsigned len;

                len = strcspn(linebuf, "\r\n");
                linebuf[len++] = '\n';
                linebuf[len] = '\0';

> As the offending offset is _just_ beyond the end (50-60 bytes)
> of the buffer, increasing its size to 1200 or 2048 prevents the
> crash. Is there an "ideal" size that could be used, or should
> the mechanism be rewritten to reallocate as needed? Using a
> fixed buffer seems dangerous when the response size varies...

For now let's bump it to 2k.

> Also, while stepping through this briefly, I noticed that every
> string received is converted fully to lowercase [2], often
> unnecessarily, as only the first handful of characters are
> compared (see 'is_prefixed_with' a few lines later). Why not use
> the 'strncmp' function instead, and remove the 'str_tolower'?

Will this be more code?
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic