From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-33365-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 4568 invoked by alias); 6 Oct 2014 14:00:50 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 33365
Received: (qmail 21728 invoked from network); 6 Oct 2014 14:00:48 -0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW autolearn=ham
	version=3.3.2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=EhEnzuBbc6+IErGlr3X2c8YOYqJrd8tkn9hWa4z/rfI=;
        b=JBG/87V+miogDsXtQJjzAZufzwOJsfMrx8ohxQuzDbSPFWGfL3kwy+DL6TGfj6vW31
         NGNAzEuv/KS1G2HSnSi/Tpkp28JfwjAHJwhIqpuwcMOeQ1lktPa7m5F6AWGi24gvnExJ
         FPu+9xj2Dk+JqSRakDcU+wOZ+Zmo1hc0ejs1ExFtqrYpT2u7ooOZeuxsUcNdIWs4UAAb
         8MSIVP25fY+LHuTif/d8uLJPWDAilDZyzVbbNgD89g7FdDMpwpVw4dafzWiG+erQrEpI
         rQm0eCATDVhvEjkNNyGU0ydyCaeFs37nIYp0FS/fVVhtyVwV96a+KY8Xql1IwNAxHSQx
         l5AQ==
MIME-Version: 1.0
X-Received: by 10.50.87.99 with SMTP id w3mr22283349igz.4.1412604045002; Mon,
 06 Oct 2014 07:00:45 -0700 (PDT)
Date: Mon, 6 Oct 2014 16:00:44 +0200
Message-ID: <CAHYJk3QeCiKGuohbduaFa9cct48oL4c2+weEQKsWpr91EM_YkQ@mail.gmail.com>
Subject: Buffer overflow with long fd numbers in redirects
From: Mikael Magnusson <mikachu@gmail.com>
To: zsh workers <zsh-workers@zsh.org>
Content-Type: text/plain; charset=UTF-8

Someone reported this on IRC the other day,
% >&333333333333333333333
zsh: number truncated after 20 digits: 333333333333333333333
*** buffer overflow detected ***: zsh terminated

At least one place where this is mishandled is in exec.c around line 3215,
        if (fil == -1) {
            char fdstr[4];

            closemnodes(mfds);
            fixfds(save);
            if (fn->fd2 != -2)
                sprintf(fdstr, "%d", fn->fd2);
            if (errno)
            zwarn("%s: %e", fn->fd2 == -2 ? "coprocess" : fdstr,
                  errno);
            execerr();
        }

Obviously anything over 999 will not fit in fdstr[]. I just checked
and it appears we do not use snprintf anywhere, is this for any
particular reason? The patch below just changes the array to [64], it
should be some time before any system uses a 256-bit type for fds. If
you guys have another preference for solving this, let me know. Note
however that just adding a check if (fn->fd2 != -2 && fn->fd2 < 1000
&& fn->fd2 > -100) is not sufficient since the zwarn attempts to use
fdstr for printing the error. (This is what I did first).

Output with the patch,
% >&333333333333333333333
zsh: number truncated after 20 digits: 333333333333333333333
zsh: 553997653: bad file descriptor

Arguably fdstr could be 21 because of that truncation but it would be
easy to miss if we lift that restriction at some point.

diff --git i/Src/exec.c w/Src/exec.c
index 499606f..906b6ca 100644
--- i/Src/exec.c
+++ w/Src/exec.c
@@ -3210,7 +3210,7 @@ execcmd()
                    fil = movefd(dup(fd));
                }
                if (fil == -1) {
-                   char fdstr[4];
+                   char fdstr[64];

                    closemnodes(mfds);
                    fixfds(save);


-- 
Mikael Magnusson