Hi Alex, In the while() loop the 'argc < maxArgv' condition should prevent overwriting any elements beyond MAX_ARGV. If you think there exists a buffer overflow in the code, a proof-of-concept exploit scenario and a possible patch would be very much appreciated :-) Regards, Niek On Thu, Aug 26, 2010 at 10:50 AM, 张陈华 <zch051383471952@xxxxxxxxx> wrote: > hi niek: > I find a problem in freenos's shell. > http://code.google.com/p/freenos/source/browse/trunk/bin/sh/Shell.cpp > > <http://code.google.com/p/freenos/source/browse/trunk/bin/sh/Shell.cpp> > int Shell::execute(char *command) > { > *char** *****argv**[**MAX_ARGV**]; * > char tmp[128]; > ShellCommand *cmd; > Size argc; > int pid, status; > > /* Valid argument? */ > if (!strlen(command)) > { > return EXIT_SUCCESS; > } > /* Attempt to extract arguments. */ > argc = parse(command, argv, MAX_ARGV); ................. > > > Size Shell::parse(char *cmdline, char **argv, Size maxArgv) > { > Size argc; > > for (argc = 0; argc < maxArgv && *cmdline; argc++) > { > while (*cmdline && *cmdline == ' ') > cmdline++; > > argv[argc] = cmdline; > > while (*cmdline && *cmdline != ' ') > cmdline++; > > if (*cmdline) *cmdline++ = ZERO; > } > *argv**[**argc**]** **=** ZERO**;* > return argc; > } So if command arguments over maxArgv( MAX_ARGV 16) ,then in the parse() > argv[argv] = ZERO, that means argv[16] = ZERO ,in the execute(), declare > char *argv[16] ,then it will cause buffer overflow.I'm not sure if it is > right ,if what i find is wrong ,i'm soory. > > > -- alex zhang > -- Niek Linnenbank WWW: http://www.nieklinnenbank.nl/ BLOG: http://nieklinnenbank.wordpress.com/ FUN: http://www.FreeNOS.org/