From: Peter Stephenson <pws@csr.com>
To: DragonK <dragonk@gmail.com>
Cc: zsh-workers@sunsite.dk
Subject: Re: Buffer overflow in "!" handling?
Date: Wed, 25 Feb 2009 10:26:03 +0000 [thread overview]
Message-ID: <20090225102603.089bc856@news01> (raw)
In-Reply-To: <8fa12ca90902250142s171605bekd87885e3dbc5c4a6@mail.gmail.com>
On Wed, 25 Feb 2009 11:42:50 +0200
DragonK <dragonk@gmail.com> wrote:
> I've stumbled upon a buffer overflow in zsh 4.3.9 (and 4.3.6) related
> to the handling of the "!" character in the command line (Linux).
>
> It's triggerable by typing "!AAAAAAAAA...A" (lots of A's) at the zsh
> prompt (works better if zsh is compiled with stack protection,
> otherwise a lot of A's are needed :) ).
>
> A quick look at the code indicates the problem to be in hist.c,
> function histsubchar(), where buf[256] is getting overflowed (*ptr is
> used to write to the buffer, but no check is made to see if ptr passed
> the end of buf). I might be wrong though, I only took a couple of
> minutes to look at the code.
You're right, that's nasty. See if you can get it to happen with this...
Index: Src/hist.c
===================================================================
RCS file: /cvsroot/zsh/zsh/Src/hist.c,v
retrieving revision 1.86
diff -u -r1.86 hist.c
--- Src/hist.c 25 Nov 2008 18:39:04 -0000 1.86
+++ Src/hist.c 25 Feb 2009 10:24:08 -0000
@@ -394,9 +394,10 @@
zlong ev;
static int marg = -1;
static zlong mev = -1;
- char buf[256], *ptr;
+ char *buf, *ptr;
char *sline;
Histent ehist;
+ size_t buflen;
/* look, no goto's */
if (isfirstch && c == hatchar) {
@@ -445,7 +446,7 @@
return bangchar;
}
cflag = 0;
- ptr = buf;
+ ptr = buf = zhalloc(buflen = 265);
/* get event number */
@@ -455,8 +456,14 @@
c = ingetc();
if (c == '?' || c == '\n' || lexstop)
break;
- else
+ else {
*ptr++ = c;
+ if (ptr == buf + buflen) {
+ buf = hrealloc(buf, buflen, 2 * buflen);
+ ptr = buf + buflen;
+ buflen *= 2;
+ }
+ }
}
if (c != '\n' && !lexstop)
c = ingetc();
@@ -484,6 +491,11 @@
break;
}
*ptr++ = c;
+ if (ptr == buf + buflen) {
+ buf = hrealloc(buf, buflen, 2 * buflen);
+ ptr = buf + buflen;
+ buflen *= 2;
+ }
if (c == '#' || c == bangchar) {
c = ingetc();
break;
--
Peter Stephenson <pws@csr.com> Software Engineer
CSR PLC, Churchill House, Cambridge Business Park, Cowley Road
Cambridge, CB4 0WZ, UK Tel: +44 (0)1223 692070
next prev parent reply other threads:[~2009-02-25 10:27 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-25 9:42 DragonK
2009-02-25 10:26 ` Peter Stephenson [this message]
2009-02-25 11:39 ` DragonK
2009-02-25 11:42 ` Peter Stephenson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090225102603.089bc856@news01 \
--to=pws@csr.com \
--cc=dragonk@gmail.com \
--cc=zsh-workers@sunsite.dk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).