From 9215cbc062f85cd285d8906a0b36941fa44d06c7 Mon Sep 17 00:00:00 2001 From: Rob Landley Date: Tue, 25 Aug 2015 03:22:02 -0500 Subject: Static analysis from Hyejin Kim found possible pointer underflow. Now that the kernel's 128k environment size has been lifted, it might be possible to feed in a gigabyte of suffix so argv[2] is enough larger than argv[1] that char *s decrements past NULL and points to arbitrary high memory (I.E. strlen(suffix) > (long)base), at which point the base > s test is defeated and we strcmp() against a wild pointer. Which is read only anyway and on 64 bit you probably couldn't hit any interesting addresses, but the fix is easy enough: compare strlen values instead of pointers. So do that instead. --- toys/posix/basename.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'toys/posix/basename.c') diff --git a/toys/posix/basename.c b/toys/posix/basename.c index c49a5f36..1a27a23b 100644 --- a/toys/posix/basename.c +++ b/toys/posix/basename.c @@ -24,8 +24,10 @@ void basename_main(void) // chop off the suffix if provided if (suffix) { - char *s = base + strlen(base) - strlen(suffix); - if (s > base && !strcmp(s, suffix)) *s = 0; + long bl = strlen(base), sl = strlen(suffix); + char *s = base + bl - sl; + + if (bl > sl && !strcmp(s, suffix)) *s = 0; } puts(base); -- cgit v1.2.3