439 – Buffer overrun in runit/svlogd.c when scanning config file

Bug 439 - Buffer overrun in runit/svlogd.c when scanning config file

Summary: Buffer overrun in runit/svlogd.c when scanning config file

Status:	RESOLVED FIXED

Alias:	None

Product:	Busybox
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	1.14.x
Hardware:	PC Windows

Importance:	P3 major
Target Milestone:	---
Assignee:	unassigned

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-07-03 14:41 UTC by Earl Chew
Modified:	2009-07-11 22:26 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:

Attachments
Proposed patch (719 bytes, patch) 2009-07-03 14:41 UTC, Earl Chew	Details
Proposed patch (701 bytes, patch) 2009-07-03 17:13 UTC, Earl Chew	Details
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Earl Chew 2009-07-03 14:41:27 UTC

Created attachment 439 [details]
Proposed patch

I believe there is a possibility of overrunning the buffer containing the log configuration in runit/svlogd.c

The code in svlogd.c uses open_read_close() to retrieve the content of the configuration file, and then scans the buffer searching for a terminating nul. The function open_read_close() does not guarantee that a terminating nul is present.

Comment 1 Denys Vlasenko 2009-07-03 16:32:30 UTC

You need to use

buf[i] = '\0';

in order to truncate buf exactly where read stopped.

Applied, thanks!

Comment 2 Earl Chew 2009-07-03 17:13:08 UTC

Comment on attachment 439 [details]
Proposed patch

This patch fails to prevent the configuration file scanner reading uninitialised data.

Comment 3 Earl Chew 2009-07-03 17:13:40 UTC

Created attachment 445 [details]
Proposed patch