[freenos] Re: about freenos shell

From: Niek Linnenbank <nieklinnenbank@xxxxxxxxx>
To: 张陈华 <zch051383471952@xxxxxxxxx>
Date: Thu, 26 Aug 2010 16:20:15 +0200

Hi Alex,

In the while() loop the 'argc < maxArgv' condition should prevent
overwriting any elements beyond MAX_ARGV.

If you think there exists a buffer overflow in the code, a proof-of-concept
exploit scenario and a possible patch would be very much appreciated :-)

Regards,

Niek

On Thu, Aug 26, 2010 at 10:50 AM, 张陈华 <zch051383471952@xxxxxxxxx> wrote:

> hi niek:
>    I find a problem in freenos's shell.
> http://code.google.com/p/freenos/source/browse/trunk/bin/sh/Shell.cpp
>
> <http://code.google.com/p/freenos/source/browse/trunk/bin/sh/Shell.cpp>
> int Shell::execute(char *command)
>  {
>      *char** *****argv**[**MAX_ARGV**]; *
>      char tmp[128];
>      ShellCommand *cmd;
>      Size argc;
>      int pid, status;
>
>      /* Valid argument? */
>      if (!strlen(command))
>      {
>          return EXIT_SUCCESS;
>      }
>      /* Attempt to extract arguments. */
>      argc = parse(command, argv, MAX_ARGV); .................
>
>
>  Size Shell::parse(char *cmdline, char **argv, Size maxArgv)
>  {
>      Size argc;
>
>      for (argc = 0; argc < maxArgv && *cmdline; argc++)
>      {
>          while (*cmdline && *cmdline == ' ')
>              cmdline++;
>
>          argv[argc] = cmdline;
>
>          while (*cmdline && *cmdline != ' ')
>              cmdline++;
>
>          if (*cmdline) *cmdline++ = ZERO;
>      }
>      *argv**[**argc**]** **=** ZERO**;*
>      return argc;
>  } So if command arguments over maxArgv( MAX_ARGV 16) ,then in the parse()
> argv[argv] = ZERO, that means argv[16] = ZERO ,in the execute(), declare
> char *argv[16] ,then it will cause buffer overflow.I'm not sure if it is
> right ,if what i find is wrong ,i'm soory.
>
>
> -- alex zhang
>



-- 
Niek Linnenbank

WWW: http://www.nieklinnenbank.nl/
BLOG: http://nieklinnenbank.wordpress.com/
FUN:    http://www.FreeNOS.org/

[freenos] Re: about freenos shell

Other related posts: