[Toybox] Invalid/out-of-bounds access in 'posix/ulimit.c'
Zach van Rijn
me at zv.io
Sat Sep 1 17:27:37 PDT 2018
Since commit 2f3f26ea1ec581cd24a0778323eb0844f03fd6a3, 'ulimit'
has included a loop over each item in the char array 'map', and
also attempted to access past the last element:
char map[] = { /* ... */ };
int i;
for (i = 0; i < sizeof(map); i++) {
// ...
}
if (prlimit(TT.P, map[i], &rr, 0)) perror_exit(0);
^
out-of-bounds
What is the intended behavior?
And, since commit 2b999e614c48f084f6a14d589d434904aec6d491 in
'lib/linestack.c' there's been an 8-byte buffer 'buf' in the
'crunch_escape' function, where the 'sprintf' could potentially
overflow this buffer by 3 or 4 bytes (the value of 'wc').
Last, a very minor patch is attached for 'net/netstat.c'
ensuring that the file handle is closed before an early return
from the 'show_ip' routine.
ZV
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Close-file-handle-before-return-on-error.patch
Type: text/x-patch
Size: 740 bytes
Desc: not available
URL: <http://lists.landley.net/pipermail/toybox-landley.net/attachments/20180901/95c946a6/attachment-0002.bin>
More information about the Toybox
mailing list