Vulnerability Development mailing list archives
Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues )
From: Ali Saifullah Khan <saifullah () gamebox net>
Date: Sun, 16 Feb 2003 14:16:56 +0500
file : bash-VERSION/lib/glob/glob.c char ** glob_filename(pathname) char * pathname; { . . { directory_len = (filename - pathname) + 1; directory_name = (char *) alloca (directory_len + 1); bcopy (pathname, directory_name, directory_len); directory_name[directory_len] = '\0'; ++filename; } . . As Vladimir pointed out, instead of copying a large source string of length 'directory_len' why not simply copy strlen(pathname) bytes to directory_name. Would this produce a fix ?....I'm not an expert when it comes to C, but so far this is what i conclude. Regards.
Attachment:
_bin
Description:
Current thread:
- Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues ) Ali Saifullah Khan (Feb 16)