summaryrefslogtreecommitdiffstats
path: root/gnu
diff options
context:
space:
mode:
authorjoerg <joerg@FreeBSD.org>1997-08-27 17:18:30 +0000
committerjoerg <joerg@FreeBSD.org>1997-08-27 17:18:30 +0000
commit1fa2fafd210a0a94505d20066e2c109207101d32 (patch)
treee75a4469673416387d4119506d3de04905b481cd /gnu
parentdbbb9f298faa7b02bf158d5d4402f1a3b5739632 (diff)
downloadFreeBSD-src-1fa2fafd210a0a94505d20066e2c109207101d32.zip
FreeBSD-src-1fa2fafd210a0a94505d20066e2c109207101d32.tar.gz
Major Ooops. I've overlooked a few calls to scanident() in my last commit.
Submitted by: rbezuide@oskar.nanoteq.co.za (Reinier Bezuidenhout)
Diffstat (limited to 'gnu')
-rw-r--r--gnu/usr.bin/perl/perl/toke.c24
1 files changed, 15 insertions, 9 deletions
diff --git a/gnu/usr.bin/perl/perl/toke.c b/gnu/usr.bin/perl/perl/toke.c
index 78cd195..d654066 100644
--- a/gnu/usr.bin/perl/perl/toke.c
+++ b/gnu/usr.bin/perl/perl/toke.c
@@ -1,4 +1,4 @@
-/* $RCSfile: toke.c,v $$Revision: 1.2 $$Date: 1995/05/30 05:03:26 $
+/* $RCSfile: toke.c,v $$Revision: 1.3 $$Date: 1997/08/08 20:53:59 $
*
* Copyright (c) 1991, Larry Wall
*
@@ -6,6 +6,12 @@
* License or the Artistic License, as specified in the README file.
*
* $Log: toke.c,v $
+ * Revision 1.3 1997/08/08 20:53:59 joerg
+ * Fix a buffer overflow condition (that causes a security hole in suidperl).
+ *
+ * Closes: CERT Advisory CA-97.17 - Vulnerability in suidperl
+ * Obtained from: (partly) the fix in CA-97.17
+ *
* Revision 1.2 1995/05/30 05:03:26 rgrimes
* Remove trailing whitespace.
*
@@ -1767,17 +1773,17 @@ register char *s;
arg->arg_type = O_ITEM;
arg[1].arg_type = A_DOUBLE;
arg[1].arg_ptr.arg_str = str_smake(str);
- d = scanident(d,bufend,buf);
+ d = scanident(d,bufend,buf,sizeof buf);
(void)stabent(buf,TRUE); /* make sure it's created */
for (; d < e; d++) {
if (*d == '\\')
d++;
else if (*d == '$' && d[1] && d[1] != '|' && d[1] != ')') {
- d = scanident(d,bufend,buf);
+ d = scanident(d,bufend,buf,sizeof buf);
(void)stabent(buf,TRUE);
}
else if (*d == '@') {
- d = scanident(d,bufend,buf);
+ d = scanident(d,bufend,buf,sizeof buf);
if (strEQ(buf,"ARGV") || strEQ(buf,"ENV") ||
strEQ(buf,"SIG") || strEQ(buf,"INC"))
(void)stabent(buf,TRUE);
@@ -1851,15 +1857,15 @@ char *start;
arg->arg_type = O_ITEM;
arg[1].arg_type = A_DOUBLE;
arg[1].arg_ptr.arg_str = str_smake(str);
- d = scanident(d,e,buf);
+ d = scanident(d,e,buf,sizeof buf);
(void)stabent(buf,TRUE); /* make sure it's created */
for (; *d; d++) {
if (*d == '$' && d[1] && d[-1] != '\\' && d[1] != '|') {
- d = scanident(d,e,buf);
+ d = scanident(d,e,buf,sizeof buf);
(void)stabent(buf,TRUE);
}
else if (*d == '@' && d[-1] != '\\') {
- d = scanident(d,e,buf);
+ d = scanident(d,e,buf,sizeof buf);
if (strEQ(buf,"ARGV") || strEQ(buf,"ENV") ||
strEQ(buf,"SIG") || strEQ(buf,"INC"))
(void)stabent(buf,TRUE);
@@ -2454,7 +2460,7 @@ int in_what;
(*s == '@' && s+1 < send) ) {
if (s[1] == '#' && (isALPHA(s[2]) || s[2] == '_'))
*d++ = *s++;
- len = scanident(s,send,tokenbuf) - s;
+ len = scanident(s,send,tokenbuf,sizeof tokenbuf) - s;
if (*s == '$' || strEQ(tokenbuf,"ARGV")
|| strEQ(tokenbuf,"ENV")
|| strEQ(tokenbuf,"SIG")
@@ -2736,7 +2742,7 @@ load_format()
case '$':
str_ncat(str, t, s - t);
t = s;
- s = scanident(s,eol,tokenbuf);
+ s = scanident(s,eol,tokenbuf,sizeof tokenbuf);
str_ncat(str, t, s - t);
t = s;
if (s < eol && *s && index("$'\"",*s))
OpenPOWER on IntegriCloud