From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-33368-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 2781 invoked by alias); 6 Oct 2014 14:55:50 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 33368
Received: (qmail 22087 invoked from network); 6 Oct 2014 14:55:47 -0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW autolearn=ham
	version=3.3.2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type:content-transfer-encoding;
        bh=ErgB5T25+XG0Wdm79FHC7CleQ1W8KrgBKde+2B2tTwo=;
        b=VoX7mnHtAbdn6NU1kjc67hDDZ+e/gsJT6kSH/5beLbOHZHsHpwNbEovmJhCmM84Mbi
         k9AHANzPraA2c/vLrJeqbpZ9TIxzErf/B0ZCjfMEKp+EaHX9EMCxXy1SVQ5UKgPsbk+a
         yC8vPSabbvAsbNR3mneyhYhSgAk/g9NOFj8W4OqYy9t2iO/bejmJCMf/gRoBuZd5NoEs
         TGvxb+2/y3leLh66Cr+ypCZxYAzgV4pFiltSVkGIRMyLUpMtmMPlNQQalKw26zYYmAFH
         y1ZI3Fot8tefomaPmqBciSSYTf4pN+SthN3YpYyE76tyn8RNTbypljcYp0p614H0co1Z
         CaHA==
MIME-Version: 1.0
X-Received: by 10.50.4.9 with SMTP id g9mr21961691igg.42.1412607344275; Mon,
 06 Oct 2014 07:55:44 -0700 (PDT)
In-Reply-To: <20141006142434.GC5405@sym.noone.org>
References: <CAHYJk3QeCiKGuohbduaFa9cct48oL4c2+weEQKsWpr91EM_YkQ@mail.gmail.com>
	<20141006142434.GC5405@sym.noone.org>
Date: Mon, 6 Oct 2014 16:55:44 +0200
Message-ID: <CAHYJk3S+E9ADgM_843N8fMv_PmSdJuxYLbz2tzHB0Nr2MW6FTA@mail.gmail.com>
Subject: Re: Buffer overflow with long fd numbers in redirects
From: Mikael Magnusson <mikachu@gmail.com>
To: zsh workers <zsh-workers@zsh.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 6 October 2014 16:24, Axel Beckert <abe@deuxchevaux.org> wrote:
> Hi,
>
> On Mon, Oct 06, 2014 at 04:00:44PM +0200, Mikael Magnusson wrote:
>> Someone reported this on IRC the other day,
>> % >&333333333333333333333
>> zsh: number truncated after 20 digits: 333333333333333333333
>> *** buffer overflow detected ***: zsh terminated
>>
>> At least one place where this is mishandled is in exec.c around line 321=
5,
>
> I can reproduce this in 5.0.6.
>
> But I can't reproduce this in 4.3.17 as in Debian Wheezy. There it
> looks exactly like this:
>
>> Output with the patch,
>> % >&333333333333333333333
>> zsh: number truncated after 20 digits: 333333333333333333333
>> zsh: 553997653: bad file descriptor
>
> !518 Z7 ?0 L2 abe@snidget:~ (pts/40 zsh 4.3.17 wheezy) 16:22:44
> ~ =E2=86=92 echo $ZSH_VERSION
> 4.3.17
> !518 Z7 ?0 L2 abe@snidget:~ (pts/40 zsh 4.3.17 wheezy) 16:22:44
> ~ =E2=86=92 >&333333333333333333333
> zsh: number truncated after 20 digits: 333333333333333333333
> zsh: 553997653: bad file descriptor
> !519 Z8 ?1 L2 abe@snidget:~ (pts/40 zsh 4.3.17 wheezy) 16:22:50
> ~ =E2=86=92

You'll only see this error if zsh was compiled with buffer overflow
checking enabled (or against a glibc that has it enabled, not 100%
sure on the implementation details), probably it wasn't for the older
package. Overflowing the buffer doesn't write on any unallocated
memory so it won't segfault (fdstr is the last variable on the stack).

--=20
Mikael Magnusson