diff options
author | jilles <jilles@FreeBSD.org> | 2010-08-10 22:45:59 +0000 |
---|---|---|
committer | jilles <jilles@FreeBSD.org> | 2010-08-10 22:45:59 +0000 |
commit | 8824c5ab7690895c9f4c64dc73d5cbd0dd4d62e4 (patch) | |
tree | 7e2b11fc91b3dd1fd5d1dc48d4e2e40ebee05f55 /tools | |
parent | 243488333fe36a4095d1e102254a664ed1effc85 (diff) | |
download | FreeBSD-src-8824c5ab7690895c9f4c64dc73d5cbd0dd4d62e4.zip FreeBSD-src-8824c5ab7690895c9f4c64dc73d5cbd0dd4d62e4.tar.gz |
sh: Fix heap-based buffer overflow in pathname generation.
The buffer for generated pathnames could be too small in some cases. It
happened to be always at least PATH_MAX long, so there was never an overflow
if the resulting pathnames would be usable.
This bug may be abused if a script subjects input from an untrusted source
to pathname generation, which a bad idea anyhow. Most shell scripts do not
work on untrusted data. secteam@ says no advisory is necessary.
PR: bin/148733
Reported by: Changming Sun snnn119 at gmail com
MFC after: 10 days
Diffstat (limited to 'tools')
-rw-r--r-- | tools/regression/bin/sh/expansion/pathname3.0 | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/tools/regression/bin/sh/expansion/pathname3.0 b/tools/regression/bin/sh/expansion/pathname3.0 new file mode 100644 index 0000000..d1672e0 --- /dev/null +++ b/tools/regression/bin/sh/expansion/pathname3.0 @@ -0,0 +1,29 @@ +# $FreeBSD$ + +v=12345678 +v=$v$v$v$v +v=$v$v$v$v +v=$v$v$v$v +v=$v$v$v$v +v=$v$v$v$v +# 8192 bytes +v=${v##???} +[ /*/$v = "/*/$v" ] || exit 1 + +s=//// +s=$s$s$s$s +s=$s$s$s$s +s=$s$s$s$s +s=$s$s$s$s +# 1024 bytes +s=${s##??????????} +[ /var/empt[y]/$s/$v = "/var/empt[y]/$s/$v" ] || exit 2 +while [ ${#s} -lt 1034 ]; do + set -- /.${s}et[c] + [ ${#s} -gt 1018 ] || [ "$1" = /.${s}etc ] || exit 3 + set -- /.${s}et[c]/ + [ ${#s} -gt 1017 ] || [ "$1" = /.${s}etc/ ] || exit 4 + set -- /.${s}et[c]/. + [ ${#s} -gt 1016 ] || [ "$1" = /.${s}etc/. ] || exit 5 + s=$s/ +done |