BusyBox Bug and Patch Tracking
BusyBox
Main | My View | View Issues | Change Log | Docs
  

Viewing Issue Simple Details Jump to Notes ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0004374 [BusyBox] Other minor always 07-27-08 23:43 08-19-08 17:55
Reporter cristic View Status public  
Assigned To BusyBox
Priority normal Resolution fixed  
Status closed   Product Version svn
Summary 0004374: tr [= buffer overflow
Description Calling
  tr [=

triggers a buffer overflow, which causes tr to process garbage data:

 53: while (*arg) {
            ...
            /* "[xyz...", i=x, arg points to y */
136: if (ENABLE_FEATURE_TR_EQUIV && i == '=') { /* [=CHAR=] */
                *buffer++ = *arg; /* copy CHAR */
                arg += 3; /* skip CHAR=] */
                continue;
            }
            ...

When line tr.c:136 is hit, i is "=", and arg points just past the end of the
original buffer. Then arg is incremented by 3, and the main loop at tr.c:53
continues processing garbage data.
Additional Information
Attached Files  1.patch [^] (525 bytes) 07-28-08 16:45

- Relationships

- Notes
(0010094)
cristic
07-28-08 00:04

 Btw,
  tr [a-
or
  tr [a-z

similarly causes tr to process garbage data.
 
(0010124)
vda
07-28-08 16:46

 Please try attached 1.patch
 
(0010144)
cristic
07-30-08 15:26
edited on: 07-30-08 15:28

 Hi, the patch is fine, but you need an additional similar check to
prevent an overflow when incomplete ranges are used (e.g., "tr [a-", "tr [a-z").
I think this patch does the job:

                        /* [x-y...] */
                        arg++;
                      + if (!*arg || arg[1] != ']')
                      + bb_show_usage();
                        ac = *arg++;
                        while (i <= ac)
                            *buffer++ = i++;

I retested tr w/ all three patches applied (the first two you sent and this
one), and it looks like tr is now free of buffer overflows (at least our tool
doesn't find any within one hour).
 
(0010154)
vda
07-30-08 15:58

 done
 

- Issue History
Date Modified Username Field Change
07-27-08 23:43 cristic New Issue
07-27-08 23:43 cristic Status new => assigned
07-27-08 23:43 cristic Assigned To  => BusyBox
07-27-08 23:44 cristic Issue Monitored: cristic
07-28-08 00:04 cristic Note Added: 0010094
07-28-08 16:45 vda File Added: 1.patch
07-28-08 16:46 vda Note Added: 0010124
07-30-08 15:26 cristic Note Added: 0010144
07-30-08 15:27 cristic Note Edited: 0010144
07-30-08 15:28 cristic Note Edited: 0010144
07-30-08 15:28 cristic Note Edited: 0010144
07-30-08 15:28 cristic Note Edited: 0010144
07-30-08 15:58 vda Note Added: 0010154
08-19-08 17:55 vda Status assigned => closed
08-19-08 17:55 vda Resolution open => fixed
08-19-08 17:55 vda Fixed in Version  => svn

Copyright © 2000 - 2006 Mantis Group
Powered by Mantis Bugtracker