Summary
A NULL pointer dereference exists in BusyBox wget when the -T option is accepted while FEATURE_WGET_TIMEOUT is disabled.
Tested environment
- BusyBox version: 1.30.1 (Ubuntu package 1:1.30.1-7ubuntu3.1)
- Distribution: Ubuntu 22.04.5 LTS
- Architecture: amd64
Minimal reproduction
Also reproducible with:
busybox wget -T 1
busybox wget -T 10
Observed result
The process crashes with:
Segmentation fault (core dumped)
Root cause analysis
In networking/wget.c, the option string still exposes the timeout option:
However, the write-back target for that option is conditionally compiled as:
IF_FEATURE_WGET_TIMEOUT(&G.timeout_seconds) IF_NOT_FEATURE_WGET_TIMEOUT(NULL)
When FEATURE_WGET_TIMEOUT is disabled, getopt32 still parses -T as an integer option, but the destination pointer becomes NULL. The generic BusyBox option parser then writes the parsed integer through a NULL pointer.
Observed crash point from local debugging:
libbb/getopt32.c:564
*(unsigned*)(on_off->optarg) = xatoi_positive(optarg);
Observed backtrace:
- vgetopt32() at libbb/getopt32.c:564
- getopt32long() at libbb/getopt32.c:615
- wget_main() at networking/wget.c:1473
Impact
This appears to be a local denial of service against busybox wget. I have not confirmed privilege escalation, code execution, or information disclosure.
Suggested fix
- Do not expose -T when FEATURE_WGET_TIMEOUT is disabled
- Optionally add a NULL guard in the integer write-back path in libbb/getopt32.c
Summary
A NULL pointer dereference exists in BusyBox wget when the -T option is accepted while FEATURE_WGET_TIMEOUT is disabled.
Tested environment
Minimal reproduction
Also reproducible with:
Observed result
The process crashes with:
Root cause analysis
In networking/wget.c, the option string still exposes the timeout option:
However, the write-back target for that option is conditionally compiled as:
When FEATURE_WGET_TIMEOUT is disabled, getopt32 still parses -T as an integer option, but the destination pointer becomes NULL. The generic BusyBox option parser then writes the parsed integer through a NULL pointer.
Observed crash point from local debugging:
Observed backtrace:
Impact
This appears to be a local denial of service against busybox wget. I have not confirmed privilege escalation, code execution, or information disclosure.
Suggested fix