Re: Potential buffer under-run in shell

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Potential buffer under-run in shell_execve()

From:	Chet Ramey
Subject:	Re: Potential buffer under-run in shell_execve()
Date:	Tue, 16 Aug 2016 10:15:09 -0400
User-agent:	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0

On 8/13/16 10:01 PM, John E. Malmberg wrote:
> Hello,
> 
> In Bash 4.3.42:
> 
> In execute_cmd/shell_execve(), if HAVE_BASH_BANG_EXEC is defined, the macro
> READ_SAMPLE_BUF has the potential to set sample_len to -1.
> 
> #if defined (HAVE_HASH_BANG_EXEC)
>           READ_SAMPLE_BUF (command, sample, sample_len);
>           sample[sample_len - 1] = '\0';
> 
> This would cause sample[-2] to be set to 0.  Most likely it would set part
> of fd to 0, but all that depends on the compiler.

Thanks for the report.  Since this code path is taken on failure, and the
child process exits immediately afterward, it's likely not dangerous.

Chet

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    chet@case.edu    http://cnswww.cns.cwru.edu/~chet/

[Prev in Thread]

Current Thread

[Next in Thread]

Potential buffer under-run in shell_execve(), John E. Malmberg, 2016/08/15
- Re: Potential buffer under-run in shell_execve(), Chet Ramey <=

Prev by Date: Re: Curious case statement error
Next by Date: Re: Intriguing error with arithmetic evaluation
Previous by thread: Potential buffer under-run in shell_execve()
Next by thread: Location of configuration files
Index(es):
- Date
- Thread