busybox
If BusyBox is compiled with FEATURE_CLEAN_UP dmesg command segfaults if invoked with the "-n" option because a free() of an uninitialized pointer.
Bug fixed by commit eef2317b9f5
| Type | UninitializedVariable |
| Config | FEATURE_CLEAN_UP (1st degree) |
| C-features | PointerArithmetic |
| Fix-in | code |
| Location | util-linux/ |
#include <stdlib.h>
#include <getopt.h>
int main(int argc, char **argv)
{
char *buf;
int bufsize = 8196;
int i;
int cmd = 3;
while ((i = getopt(argc, argv, "cn:s:")) > 0) {
switch (i) {
case 'c':
cmd = 4;
break;
case 'n':
cmd = 8;
break;
}
}
if (cmd == 8) {
goto all_done;
}
buf = malloc(bufsize);
all_done:
#ifdef CONFIG_FEATURE_CLEAN_UP
if (buf) { //WARNING
free(buf); //ERROR
}
#endif
return 0;
}
diff --git a/simple/eef2317.c b/simple/eef2317.c
--- a/simple/eef2317.c
+++ b/simple/eef2317.c
@@ -4,7 +4,11 @@
int main(int argc, char **argv)
{
- char *buf;
+ char *buf
+#ifdef CONFIG_FEATURE_CLEAN_UP
+ = NULL
+#endif
+ ;
int bufsize = 8196;
int i;
int cmd = 3;
#include <stdlib.h>
#include <getopt.h>
int main(int argc, char **argv)
{
char *buf;
int bufsize = 8196;
int i;
int cmd = 3;
while ((i = getopt(argc, argv, "cn:s:")) > 0) {
switch (i) {
case 'c':
cmd = 4;
break;
case 'n':
cmd = 8;
break;
}
}
if (cmd == 8) {
goto all_done;
}
buf = malloc(bufsize);
all_done:
#ifdef CONFIG_FEATURE_CLEAN_UP
if (buf) { //WARNING
free(buf); //ERROR
}
#endif
return 0;
}
. call util-linux/dmesg.c:29:dmesg_main(); . goto:65:all_done; . ERROR [FEATURE_CLEAN_UP] 89:free(buf);