diff options
author | Rob Landley <rob@landley.net> | 2015-08-25 03:22:02 -0500 |
---|---|---|
committer | Rob Landley <rob@landley.net> | 2015-08-25 03:22:02 -0500 |
commit | 9215cbc062f85cd285d8906a0b36941fa44d06c7 (patch) | |
tree | 81f7cf3ca91f1cc6a09dd36504bbbf737a8d023a /toys/pending | |
parent | 92f3b785690f5c23e1b84b6e726d7859d0ab1608 (diff) | |
download | toybox-9215cbc062f85cd285d8906a0b36941fa44d06c7.tar.gz |
Static analysis from Hyejin Kim found possible pointer underflow.
Now that the kernel's 128k environment size has been lifted, it might be
possible to feed in a gigabyte of suffix so argv[2] is enough larger than
argv[1] that char *s decrements past NULL and points to arbitrary high
memory (I.E. strlen(suffix) > (long)base), at which point the base > s
test is defeated and we strcmp() against a wild pointer.
Which is read only anyway and on 64 bit you probably couldn't hit any
interesting addresses, but the fix is easy enough: compare strlen values
instead of pointers. So do that instead.
Diffstat (limited to 'toys/pending')
0 files changed, 0 insertions, 0 deletions