bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Potential buffer under-run in shell_execve()


From: Chet Ramey
Subject: Re: Potential buffer under-run in shell_execve()
Date: Tue, 16 Aug 2016 10:15:09 -0400
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0

On 8/13/16 10:01 PM, John E. Malmberg wrote:
> Hello,
> 
> In Bash 4.3.42:
> 
> In execute_cmd/shell_execve(), if HAVE_BASH_BANG_EXEC is defined, the macro
> READ_SAMPLE_BUF has the potential to set sample_len to -1.
> 
> #if defined (HAVE_HASH_BANG_EXEC)
>           READ_SAMPLE_BUF (command, sample, sample_len);
>           sample[sample_len - 1] = '\0';
> 
> This would cause sample[-2] to be set to 0.  Most likely it would set part
> of fd to 0, but all that depends on the compiler.

Thanks for the report.  Since this code path is taken on failure, and the
child process exits immediately afterward, it's likely not dangerous.

Chet

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    address@hidden    http://cnswww.cns.cwru.edu/~chet/



reply via email to

[Prev in Thread] Current Thread [Next in Thread]