aboutsummaryrefslogtreecommitdiff
path: root/toys/other
diff options
context:
space:
mode:
authorRob Landley <rob@landley.net>2015-08-25 03:22:02 -0500
committerRob Landley <rob@landley.net>2015-08-25 03:22:02 -0500
commit9215cbc062f85cd285d8906a0b36941fa44d06c7 (patch)
tree81f7cf3ca91f1cc6a09dd36504bbbf737a8d023a /toys/other
parent92f3b785690f5c23e1b84b6e726d7859d0ab1608 (diff)
downloadtoybox-9215cbc062f85cd285d8906a0b36941fa44d06c7.tar.gz
Static analysis from Hyejin Kim found possible pointer underflow.
Now that the kernel's 128k environment size has been lifted, it might be possible to feed in a gigabyte of suffix so argv[2] is enough larger than argv[1] that char *s decrements past NULL and points to arbitrary high memory (I.E. strlen(suffix) > (long)base), at which point the base > s test is defeated and we strcmp() against a wild pointer. Which is read only anyway and on 64 bit you probably couldn't hit any interesting addresses, but the fix is easy enough: compare strlen values instead of pointers. So do that instead.
Diffstat (limited to 'toys/other')
0 files changed, 0 insertions, 0 deletions