[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Potential buffer under-run in shell_execve()
|
From: |
John E. Malmberg |
|
Subject: |
Potential buffer under-run in shell_execve() |
|
Date: |
Sat, 13 Aug 2016 21:01:01 -0500 |
|
User-agent: |
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 |
Hello,
In Bash 4.3.42:
In execute_cmd/shell_execve(), if HAVE_BASH_BANG_EXEC is defined, the
macro READ_SAMPLE_BUF has the potential to set sample_len to -1.
#if defined (HAVE_HASH_BANG_EXEC)
READ_SAMPLE_BUF (command, sample, sample_len);
sample[sample_len - 1] = '\0';
This would cause sample[-2] to be set to 0. Most likely it would set
part of fd to 0, but all that depends on the compiler.
Since fd is not in use at this point, the under run would not be noticed.
Regards,
-John
- Potential buffer under-run in shell_execve(),
John E. Malmberg <=