Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Buffer overflow in bash 1.14.7(1)

From: wichert () WIGGY ML ORG (Wichert Akkerman)
Date: Sun, 6 Sep 1998 00:59:05 +0200

--k+w/mQv8wyuph6w0
Content-Type: text/plain; charset=us-ascii


Some further looking revealed bash segfaulted on doing a strlen on
the length of the cwd, after getcwd() returned NULL since the cwd
was too long.

This patch fixes that by setting PWD to "." if the cwd is too long.

Wichert.

diff -ru org/bash-2.01.1/builtins/cd.def bash-2.01.1/builtins/cd.def
--- org/bash-2.01.1/builtins/cd.def     Fri Apr 11 18:55:47 1997
+++ bash-2.01.1/builtins/cd.def Sun Sep  6 00:53:16 1998
@@ -146,11 +146,19 @@
      needing a remake. */
   if (old_anm == 0 && array_needs_making && exported_p (tvar))
     {
-      pwdvar = xmalloc (strlen (dirname) + 5); /* 5 = "PWD" + '=' + '\0' */
-      strcpy (pwdvar, "PWD=");
-      strcpy (pwdvar + 4, dirname);
-      add_or_supercede_exported_var (pwdvar, 0);
-      array_needs_making = 0;
+      if (dirname!=0)
+        {
+          pwdvar = xmalloc (strlen (dirname) + 5);     /* 5 = "PWD" + '=' + '\0' */
+          strcpy (pwdvar, "PWD=");
+          strcpy (pwdvar + 4, dirname);
+        }
+      else
+        {
+          pwdvar=xmalloc (6);
+          strcpy (pwdvar, "PWD=.");
+        }
+        add_or_supercede_exported_var (pwdvar, 0);
+        array_needs_making = 0;
     }

   FREE (dirname);



--k+w/mQv8wyuph6w0
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia

iQB1AwUBNfHCOajZR/ntlUftAQHuWQL/alQLr5eccdzCys0PDPlHdgRbqEpQ1wbV
/UMVIRI+uIfxMwogpX+n32zjTSkXNqRJkdfyAcPfJC44nktp8MfaALzm8koh93+C
DSktbWMtdS84/97TE0eGF9Qq6Ywti1dV
=Yrtt
-----END PGP SIGNATURE-----

--k+w/mQv8wyuph6w0--
Previous By Date Next
Previous By Thread Next

Current thread: