[bug #65588] A buffer overrun in handling of .SHELLFLAGS.

[Dmitry Goncharov]

Follow-up Comment #1, bug #65588 (group make):

A buffer overflow occurs in oneshell mode when shellflags contains characters
special to shell.


$ cat makefile
.ONESHELL:
.SHELLFLAGS:=hello'
all:;:
$ make
Aborted (core dumped)


In oneshell mode construct_command_argv_internal wants to store in argv[0]
the value of shell, followed by shellflags, followed by the command line.
construct_command_argv_internal preallocates memory with

nextp = new_argv[0] = xmalloc (shell_len + sflags_len + line_len + 3);

construct_command_argv_internal is then used recursively to construct argv
from
shellflags.  If shellflags contains characters special to shell, then this
recursive call does the so-called slow mode and constructs argv of "/bin/sh",
"-c", and the value of shellflags.
One problem is that the top construct_command_argv_internal never allocated
room for the "/bin/sh" and "-c".

Aside from the overflow, it is incorrect to prepend "/bin/sh" and "-c" to
shellflags. Preallocating more room in top construct_command_argv_internal
can
solve the overflow, but the resultant command line stays incorrect, because
shellflags were not supposed to carry "/bin/sh" and "-c".

This fix parses shellflags without help from construct_command_argv_internal
and lets shellflags carry quoted tokens in oneshell mode, even when special
characters are present.

The fix is split to 2 parts to simplify review.
Part1 is refactoring which allows to avoid multiple redundant if checks.
Part2 is the actual fix and is supposed to be applied after part1.

Tested on linux-x86, sunos-sparc and aix-powerpc, all 64 and 32 bits.



    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?65588>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/