32-byte static buffer can overflow in shell_version

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

32-byte static buffer can overflow in shell_version_string()

From:	Steven Augart
Subject:	32-byte static buffer can overflow in shell_version_string()
Date:	Tue, 30 Sep 2003 20:20:42 -0400

Configuration Information [Automatically generated, do not change]:
Machine: i686
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='i686' 
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='i686-pc-linux-gnu' 
-DCONF_VENDOR='pc' -DSHELL -DHAVE_CONFIG_H  -I.  -I. -I./include -I./lib  -pipe 
-ggdb3 -W -Wall -Wbad-function-cast -Wcast-align -Wpointer-arith -Wcast-qual 
-Wshadow -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations 
-fkeep-static-consts  -fkeep-inline-functions -Wundef -Wwrite-strings 
-Wno-aggregate-return -Wmissing-noreturn -Wnested-externs -Wtrigraphs 
-Wconversion -Wsign-compare -Wno-float-equal -Wmissing-format-attribute 
-Wno-unreachable-code -Wdisabled-optimization -Wendif-labels
uname output: Linux bilbo.watson.ibm.com 2.4.20-18.7 #1 Thu May 29 08:32:50 EDT 
2003 i686 unknown
Machine Type: i686-pc-linux-gnu

Bash Version: 2.05b
Patch Level: 0
Release Status: release

Description:
        32-byte static buffer holds shell version string, with no overflow 
checks. 

Repeat-By:
        Set the RELSTATUS variable in Makefile to something long, such as:
                RELSTATUS = experimental_augart_magic_rm1

                recompile Bash with "make -w"
                Run Bash with ./bash.
                Bash will overwrite global variables the first time 
shell_version_string() is called (and it always is called, upon shell startup).

Fix:

Apply this patch.  (I'm not clear on why you even want to be using a
static buffer for this; perhaps asprintf() is not available on all the
platforms you want Bash to run on?  Since Bash and asprintf() are both
GPL'd, it seems it would be easy to include asprintf.c in the bash
distribution.)

--- bash-2.05b/version.c        Wed Apr  3 13:49:19 2002
+++ bash-2.05b+augart1/version.c        Wed Oct  1 00:14:06 2003
@@ -52,9 +52,9 @@
   if (tt[0] == '\0')
     {
       if (release_status)
-       sprintf (tt, "%s.%d(%d)-%s", dist_version, patch_level, build_version, 
release_status);
+       snprintf (tt, sizeof tt, "%s.%d(%d)-%s", dist_version, patch_level, 
build_version, release_status);
       else
-       sprintf (tt, "%s.%d(%d)", dist_version, patch_level, build_version);
+       snprintf (tt, sizeof tt, "%s.%d(%d)", dist_version, patch_level, 
build_version);
     }
   return tt;
 }

[Prev in Thread]

Current Thread

[Next in Thread]

32-byte static buffer can overflow in shell_version_string(), Steven Augart <=

Prev by Date: Subscriber - Your Newsletter
Next by Date: confirm unsubscribe from address@hidden
Previous by thread: Subscriber - Your Newsletter
Next by thread: confirm unsubscribe from address@hidden
Index(es):
- Date
- Thread