Re: Buffer overflow in bash 1.14.7(1)

From: Wichert Akkerman (wichertat_private)
Date: Sat Sep 05 1998 - 15:59:05 PDT

  • Next message: bwoodardat_private: "Another way to crash HP 5M/5N printers" 

    --k+w/mQv8wyuph6w0
Content-Type: text/plain; charset=us-ascii


Some further looking revealed bash segfaulted on doing a strlen on
the length of the cwd, after getcwd() returned NULL since the cwd
was too long.

This patch fixes that by setting PWD to "." if the cwd is too long.

Wichert.

diff -ru org/bash-2.01.1/builtins/cd.def bash-2.01.1/builtins/cd.def
--- org/bash-2.01.1/builtins/cd.def     Fri Apr 11 18:55:47 1997
+++ bash-2.01.1/builtins/cd.def Sun Sep  6 00:53:16 1998
@@ -146,11 +146,19 @@
      needing a remake. */
   if (old_anm == 0 && array_needs_making && exported_p (tvar))
     {
-      pwdvar = xmalloc (strlen (dirname) + 5); /* 5 = "PWD" + '=' + '\0' */
-      strcpy (pwdvar, "PWD=");
-      strcpy (pwdvar + 4, dirname);
-      add_or_supercede_exported_var (pwdvar, 0);
-      array_needs_making = 0;
+      if (dirname!=0)
+        {
+          pwdvar = xmalloc (strlen (dirname) + 5);     /* 5 = "PWD" + '=' + '\0' */
+          strcpy (pwdvar, "PWD=");
+          strcpy (pwdvar + 4, dirname);
+        }
+      else
+        {
+          pwdvar=xmalloc (6);
+          strcpy (pwdvar, "PWD=.");
+        }
+        add_or_supercede_exported_var (pwdvar, 0);
+        array_needs_making = 0;
     }

   FREE (dirname);



--k+w/mQv8wyuph6w0
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia

iQB1AwUBNfHCOajZR/ntlUftAQHuWQL/alQLr5eccdzCys0PDPlHdgRbqEpQ1wbV
/UMVIRI+uIfxMwogpX+n32zjTSkXNqRJkdfyAcPfJC44nktp8MfaALzm8koh93+C
DSktbWMtdS84/97TE0eGF9Qq6Ywti1dV
=Yrtt
-----END PGP SIGNATURE-----

--k+w/mQv8wyuph6w0--

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:08 PDT