[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Bash 2.05 mishandles TCP connections to negative services
|
From: |
Paul Eggert |
|
Subject: |
Bash 2.05 mishandles TCP connections to negative services |
|
Date: |
Mon, 30 Apr 2001 06:39:20 -0700 (PDT) |
From: eggert
To: bug-bash@gnu.org
Subject: [50 character or so descriptive subject here (for reference)]
Configuration Information [Automatically generated, do not change]:
Machine: sparc
OS: solaris2.7
Compiler: cc -xarch=v9
Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='sparc'
-DCONF_OSTYPE='solaris2.7' -DCONF_MACHTYPE='sparc-sun-solaris2.7'
-DCONF_VENDOR='sun' -DSHELL -DHAVE_CONFIG_H -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE -I. -I.. -I../include -I../lib
-I/tmp/prefix/include -g
uname output: SunOS sic.twinsun.com 5.7 Generic_106541-15 sun4u sparc
SUNW,UltraSPARC-IIi-Engine
Machine Type: sparc-sun-solaris2.7
Bash Version: 2.05
Patch Level: 0
Release Status: release
Description:
Bash 2.05 mishandles overflow checking when testing for invalid
TCP service numbers. It tests for ports that are too large, but
it doesn't test for negative ports.
Repeat-By:
$ cat </dev/tcp/localhost/100000
bash: 100000: invalid service
bash: /dev/tcp/localhost/100000: Invalid argument
$ cat </dev/tcp/localhost/-1
bash: connect: Connection refused
bash: /dev/tcp/localhost/-1: Connection refused
The two results should be similar, but with port -1 Bash
actually attempts to connect to port 65535.
Fix:
2001-04-30 Paul Eggert <eggert@twinsun.com>
* lib/sh/netopen.c (_getserv): Reject negative service numbers.
===================================================================
RCS file: lib/sh/netopen.c,v
retrieving revision 2.5
retrieving revision 2.5.0.1
diff -pu -r2.5 -r2.5.0.1
--- lib/sh/netopen.c 2000/08/01 18:59:59 2.5
+++ lib/sh/netopen.c 2001/04/30 13:33:45 2.5.0.1
@@ -107,9 +107,9 @@ _getserv (serv, proto, pp)
if (legal_number (serv, &l))
{
- if (l > 65535)
- return 0;
s = (unsigned short)(l & 0xFFFF);
+ if (s != l)
+ return 0;
s = htons (s);
if (pp)
*pp = s;
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Bash 2.05 mishandles TCP connections to negative services,
Paul Eggert <=