bug finding tools. We are currently using Busybox as one of our
benchmarks, and I would like to report a series of bugs we found.
Please let me know if this site is not the preferred way of reporting
bugs.
Here is a first bug we found in od: a potential dangling pointer bug,
which can lead to memory corruption. Here is a very small test case
which exposes the problem:
$ echo -n a >A
$ od A
The problem is in the rewrite() function in dump.c. Here is the
relevant snippet (dump.c: 234-252, busybox 1.11.1):
(A) pr->fmt = xstrdup(fmtp);
*p2 = savech;
(B) pr->cchar = pr->fmt + (p1 - fmtp);
/* DBU:[dave@cray.com] w/o this, trailing fmt text, space is lost.
* Skip subsequent text and up to the next % sign and tack the
* additional text onto fmt: eg. if fmt is "%x is a HEX number",
* we lose the " is a HEX number" part of fmt.
*/
for (p3 = p2; *p3 && *p3 != '%'; p3++);
if (p3 > p2)
{
savech = *p3;
*p3 = '\0';
(C) pr->fmt = xrealloc(pr->fmt, strlen(pr->fmt)+(p3-p2)+1);
strcat(pr->fmt, p2);
*p3 = savech;
p2 = p3;
}
Line (A) initializes pr->fmt to point to a new buffer. On line (B),
pr->cchar is also set to point into this buffer. Later on, pr->fmt is
realloc'ed, potentially pointing to a new region in memory. However,
pr->cchar is not reset, and it still points to the old buffer. Later
on, when pr->cchar is written into (for example, in bpad(),
dump.c:438), the write can lead to memory corruption, since pr->cchar
may now point to either freed memory or a new buffer which happened to
be allocated there.
Cristian
4.patch [^] (1,120 bytes) 07-16-08 00:13 
