[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
fix for buffer overflow in gawk
From: |
Aharon Robbins |
Subject: |
fix for buffer overflow in gawk |
Date: |
Sun, 17 Mar 2002 17:50:53 +0200 |
Greetings. A user reported the following:
> To: address@hidden
> Date: Thu, 14 Mar 2002 22:21:38 -0500
> Subject: buffer overflow in g/awk
>
> A buffer overflow exist in awk(named awk on most systems, but actualy
> is gawk/GNU awk) when calling the -f option, to include an awk script,
> and supplying a filename with a buffer length of 1022 and up.
>
>
> address@hidden keoki]# awk -f `perl -e 'print "A" x 1022'`
> awk: fatal error: internal error
> Abort (core dumped)
> address@hidden keoki]# awk -f `perl -e 'print "A" x 2048'`
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:
> fatal error: internal error
> Abort (core dumped)
> address@hidden keoki]#
>
> The bug exist in io.c in function do_pathopen
>
> [..........]
>
>
> It can also be crashed with an env variable as follows
>
> address@hidden keoki]# env AWKPATH=`perl -e 'print "A" x 2048'` awk -f xx
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/e/keoki:
> fatal error: internal error
> Abort (core dumped)
>
> This was tested on FreeBSD platform(fbsd 4.0 && 4.4) against awk(which
> is actually gnu awk) versions 3.0.6 && 3.0.4
The following patch fixes the problem.
Arnold
------------------------------------------------------------
*** ../gawk-3.1.0/io.c Tue Apr 24 14:35:35 2001
--- io.c Sun Mar 17 17:41:45 2002
***************
*** 1923,1930 ****
static const char *savepath = NULL;
static int first = TRUE;
const char *awkpath;
! char *cp, trypath[BUFSIZ];
int fd;
if (STREQ(file, "-"))
return (0);
--- 2014,2022 ----
static const char *savepath = NULL;
static int first = TRUE;
const char *awkpath;
! char *cp, *trypath;
int fd;
+ int len;
if (STREQ(file, "-"))
return (0);
***************
*** 1945,1953 ****
if (ispath(file))
return (devopen(file, "r"));
do {
trypath[0] = '\0';
! /* this should take into account limits on size of trypath */
for (cp = trypath; *awkpath && *awkpath != envsep; )
*cp++ = *awkpath++;
--- 2037,2049 ----
if (ispath(file))
return (devopen(file, "r"));
+ /* no arbitrary limits: */
+ len = strlen(awkpath) + strlen(file) + 2;
+ emalloc(trypath, char *, len, "do_pathopen");
+
do {
trypath[0] = '\0';
!
for (cp = trypath; *awkpath && *awkpath != envsep; )
*cp++ = *awkpath++;
***************
*** 1959,1971 ****
strcpy(cp, file);
} else
strcpy(trypath, file);
! if ((fd = devopen(trypath, "r")) > INVALID_HANDLE)
return (fd);
/* no luck, keep going */
if(*awkpath == envsep && awkpath[1] != '\0')
awkpath++; /* skip colon */
} while (*awkpath != '\0');
/*
* You might have one of the awk paths defined, WITHOUT the current
* working directory in it. Therefore try to open the file in the
--- 2055,2071 ----
strcpy(cp, file);
} else
strcpy(trypath, file);
! if ((fd = devopen(trypath, "r")) > INVALID_HANDLE) {
! free(trypath);
return (fd);
+ }
/* no luck, keep going */
if(*awkpath == envsep && awkpath[1] != '\0')
awkpath++; /* skip colon */
} while (*awkpath != '\0');
+ free(trypath);
+
/*
* You might have one of the awk paths defined, WITHOUT the current
* working directory in it. Therefore try to open the file in the
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- fix for buffer overflow in gawk,
Aharon Robbins <=