From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-12628-mason-zsh=primenet.com.au@sunsite.auc.dk>
Received: (qmail 2104 invoked from network); 14 Aug 2000 23:08:20 -0000
Received: from sunsite.auc.dk (130.225.51.30)
  by ns1.primenet.com.au with SMTP; 14 Aug 2000 23:08:20 -0000
Received: (qmail 5738 invoked by alias); 14 Aug 2000 23:08:06 -0000
Mailing-List: contact zsh-workers-help@sunsite.auc.dk; run by ezmlm
Precedence: bulk
X-No-Archive: yes
X-Seq: 12628
Received: (qmail 5731 invoked from network); 14 Aug 2000 23:08:04 -0000
From: "Jonel Rienton" <nelski@jonelrienton.org>
To: "Bart Schaefer" <schaefer@candle.brasslantern.com>,
	<zsh-workers@sunsite.auc.dk>
Subject: RE: buffer overflow on zsh-3.1.9
Date: Mon, 14 Aug 2000 18:13:24 -0500
Message-ID: <NEBBJKIECKJPJKBDJJOECEGMCBAA.nelski@jonelrienton.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
In-Reply-To: <1000814183801.ZM10110@candle.brasslantern.com>
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400

doesn't this constitute for a malicious user to bring down your system in a
multi environment box?

Jonel Rienton
----------------------------------------------
http://qmail.freebsduser.org/qmail.html
This email is sent by qmail-1.03 on a
FreeBSD 4.1-STABLE box

-----Original Message-----
From: Bart Schaefer [mailto:schaefer@candle.brasslantern.com]
Sent: Monday, August 14, 2000 1:38 PM
To: Jonel Rienton; zsh-workers@sunsite.auc.dk
Subject: Re: buffer overflow on zsh-3.1.9


On Aug 14,  1:34pm, Jonel Rienton wrote:
} Subject: buffer overflow on zsh-3.1.9

It's not a buffer overflow.

} 1. hold down the alt key
} 2. while holding alt key press 9 six times

You've just told zsh that you want it to repeat the next command 999999
times.

} 3 release both keys, hit any letter or number

The next command is to insert that character.  Zsh faithfully attempts to
insert one character 999999 times.  Every 256 or so insertions it allocates
a larger buffer; eventually your system runs out of memory and zsh gives
up and crashes.

The buffer didn't overflow -- that is, I doubt zsh wrote any bytes beyond
the bounds of any buffer it succeeded in allocating.

We *could* put some sort of arbitrary limit on the maximum numeric prefix
argument, to prevent large repetitions like this, but this is clearly a
case of pilot error rather than programming error.

--
Bart Schaefer                                 Brass Lantern Enterprises
http://www.well.com/user/barts              http://www.brasslantern.com

Zsh: http://www.zsh.org | PHPerl Project: http://phperl.sourceforge.net