[Toybox] Invalid/out-of-bounds access in 'posix/ulimit.c'

Zach van Rijn me at zv.io
Sat Sep 1 17:27:37 PDT 2018


Since commit 2f3f26ea1ec581cd24a0778323eb0844f03fd6a3, 'ulimit'
has included a loop over each item in the char array 'map', and
also attempted to access past the last element:

    char map[] = { /* ... */ };
    int i;

    for (i = 0; i < sizeof(map); i++) {
        // ...
    }

    if (prlimit(TT.P, map[i], &rr, 0)) perror_exit(0);
                          ^
                   out-of-bounds

What is the intended behavior?


And, since commit 2b999e614c48f084f6a14d589d434904aec6d491 in
'lib/linestack.c' there's been an 8-byte buffer 'buf' in the 
'crunch_escape' function, where the 'sprintf' could potentially
overflow this buffer by 3 or 4 bytes (the value of 'wc').


Last, a very minor patch is attached for 'net/netstat.c'
ensuring that the file handle is closed before an early return
from the 'show_ip' routine.


ZV
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Close-file-handle-before-return-on-error.patch
Type: text/x-patch
Size: 740 bytes
Desc: not available
URL: <http://lists.landley.net/pipermail/toybox-landley.net/attachments/20180901/95c946a6/attachment-0002.bin>


More information about the Toybox mailing list