| Summary: | Buffer overrun in runit/svlogd.c when scanning config file | ||
|---|---|---|---|
| Product: | Busybox | Reporter: | Earl Chew <echew> |
| Component: | Other | Assignee: | unassigned |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | busybox-cvs |
| Priority: | P3 | ||
| Version: | 1.14.x | ||
| Target Milestone: | --- | ||
| Hardware: | PC | ||
| OS: | Windows | ||
| Host: | Target: | ||
| Build: | |||
| Attachments: |
Proposed patch
Proposed patch |
||
You need to use buf[i] = '\0'; in order to truncate buf exactly where read stopped. Applied, thanks! Comment on attachment 439 [details]
Proposed patch
This patch fails to prevent the configuration file scanner reading uninitialised data.
Created attachment 445 [details]
Proposed patch
|
Created attachment 439 [details] Proposed patch I believe there is a possibility of overrunning the buffer containing the log configuration in runit/svlogd.c The code in svlogd.c uses open_read_close() to retrieve the content of the configuration file, and then scans the buffer searching for a terminating nul. The function open_read_close() does not guarantee that a terminating nul is present.