Bugtraq mailing list archives
Re: Buffer overflow in BASH
From: chet () NIKE INS CWRU EDU (Chet Ramey)
Date: Mon, 19 Apr 1999 16:59:24 -0400
BASH wrongly allocates memory for lines read from redirected standard input. If you use CMD << _EOF_WORD_ operator to redirect standard input BASH will read following lines from the command input (either tty or shell script) into dynamically allocated memory until it encounters _EOF_WORD_. The BASH allocates only 1000 bytes for first line regardless of line length. I looked at the source code and this is what I found in 'make_cmd.c': if (len + document_index >= document_size) { document_size = document_size ? 2 * (document_size + len) : 1000; /* XXX */ document = xrealloc (document, document_size); }
This was fixed a long time ago, with bash-2.02.1 for sure, which was released almost a year ago. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ( ``Discere est Dolere'' -- chet) Chet Ramey, Case Western Reserve University Internet: chet () po CWRU Edu
Current thread:
- Re: Large size file and Midnight/bug in crontab with this file Mixter (Apr 15)
- PATCH: Fix for linux 2.0.x -ve truncation problem Chris Wedgwood (Apr 18)
- Re: PATCH: Fix for linux 2.0.x -ve truncation problem Chris Wedgwood (Apr 18)
- new syslogd exploits? Ry Jones (Apr 18)
- Buffer overflow in BASH Wojciech Purczynski (Apr 19)
- Re: Buffer overflow in BASH Chet Ramey (Apr 19)
- PATCH: Fix for linux 2.0.x -ve truncation problem Chris Wedgwood (Apr 18)