bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bash 2.05 mishandles TCP connections to negative services


From: Paul Eggert
Subject: Bash 2.05 mishandles TCP connections to negative services
Date: Mon, 30 Apr 2001 06:39:20 -0700 (PDT)

From: eggert
To: address@hidden
Subject: [50 character or so descriptive subject here (for reference)]

Configuration Information [Automatically generated, do not change]:
Machine: sparc
OS: solaris2.7
Compiler: cc -xarch=v9
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='sparc' 
-DCONF_OSTYPE='solaris2.7' -DCONF_MACHTYPE='sparc-sun-solaris2.7' 
-DCONF_VENDOR='sun' -DSHELL  -DHAVE_CONFIG_H  -D_LARGEFILE_SOURCE 
-D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE -I.  -I.. -I../include -I../lib 
-I/tmp/prefix/include -g
uname output: SunOS sic.twinsun.com 5.7 Generic_106541-15 sun4u sparc 
SUNW,UltraSPARC-IIi-Engine
Machine Type: sparc-sun-solaris2.7

Bash Version: 2.05
Patch Level: 0
Release Status: release

Description:
        Bash 2.05 mishandles overflow checking when testing for invalid
        TCP service numbers.  It tests for ports that are too large, but
        it doesn't test for negative ports.

Repeat-By:
        $ cat </dev/tcp/localhost/100000
        bash: 100000: invalid service
        bash: /dev/tcp/localhost/100000: Invalid argument
        $ cat </dev/tcp/localhost/-1
        bash: connect: Connection refused
        bash: /dev/tcp/localhost/-1: Connection refused

        The two results should be similar, but with port -1 Bash
        actually attempts to connect to port 65535.

Fix:
2001-04-30  Paul Eggert  <address@hidden>

        * lib/sh/netopen.c (_getserv): Reject negative service numbers.

===================================================================
RCS file: lib/sh/netopen.c,v
retrieving revision 2.5
retrieving revision 2.5.0.1
diff -pu -r2.5 -r2.5.0.1
--- lib/sh/netopen.c    2000/08/01 18:59:59     2.5
+++ lib/sh/netopen.c    2001/04/30 13:33:45     2.5.0.1
@@ -107,9 +107,9 @@ _getserv (serv, proto, pp)
 
   if (legal_number (serv, &l))
     {
-      if (l > 65535)
-       return 0;
       s = (unsigned short)(l & 0xFFFF);
+      if (s != l)
+       return 0;
       s = htons (s);
       if (pp)
        *pp = s;



reply via email to

[Prev in Thread] Current Thread [Next in Thread]