diff options
| author | Ron Yorston <rmy@pobox.com> | 2020-01-19 09:16:08 +0000 |
|---|---|---|
| committer | Ron Yorston <rmy@pobox.com> | 2020-01-19 09:16:08 +0000 |
| commit | a22490b9f4c2feb04f1f7bcbd0e8e51fc87a16b7 (patch) | |
| tree | 8cd8159984a5c29c7e3c867de2447e770debdfa1 | |
| parent | dd15e2a2d6fcd93486f01f8ad8f8c2b7f6a7a317 (diff) | |
| download | busybox-w32-a22490b9f4c2feb04f1f7bcbd0e8e51fc87a16b7.tar.gz busybox-w32-a22490b9f4c2feb04f1f7bcbd0e8e51fc87a16b7.tar.bz2 busybox-w32-a22490b9f4c2feb04f1f7bcbd0e8e51fc87a16b7.zip | |
ash: fix out of bounds read in tblentry_copy()
Commit 2ffcb860e (ash: minor fixes to forkshell handling) ensured
that tblentry structures were properly aligned but also resulted
in reads beyond the end of the allocated structure.
| -rw-r--r-- | shell/ash.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/shell/ash.c b/shell/ash.c index 20c2590db..9a42b9d78 100644 --- a/shell/ash.c +++ b/shell/ash.c | |||
| @@ -15619,7 +15619,7 @@ tblentry_copy(struct tblentry *tep) | |||
| 15619 | size = sizeof(struct tblentry) + align_len(tep->cmdname); | 15619 | size = sizeof(struct tblentry) + align_len(tep->cmdname); |
| 15620 | 15620 | ||
| 15621 | funcblock = (char *) funcblock + size; | 15621 | funcblock = (char *) funcblock + size; |
| 15622 | memcpy(*newp, tep, size); | 15622 | memcpy(*newp, tep, sizeof(struct tblentry)+strlen(tep->cmdname)); |
| 15623 | switch (tep->cmdtype) { | 15623 | switch (tep->cmdtype) { |
| 15624 | case CMDBUILTIN: | 15624 | case CMDBUILTIN: |
| 15625 | /* Save index of builtin, not pointer; fixed by forkshell_init() */ | 15625 | /* Save index of builtin, not pointer; fixed by forkshell_init() */ |