|
Roman Rakus |
2cb460 |
BASH PATCH REPORT
|
|
Roman Rakus |
2cb460 |
=================
|
|
Roman Rakus |
2cb460 |
|
|
Roman Rakus |
2cb460 |
Bash-Release: 3.2
|
|
Roman Rakus |
2cb460 |
Patch-ID: bash32-034
|
|
Roman Rakus |
2cb460 |
|
|
Roman Rakus |
2cb460 |
Bug-Reported-by: Ian Campbell <ian.campbell@xensource.com>
|
|
Roman Rakus |
2cb460 |
Bug-Reference-ID: <EXCHPAFExU3l5bhn1ow00001dfe@rpc.xensource.com>
|
|
Roman Rakus |
2cb460 |
Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2007-10/msg00060.html
|
|
Roman Rakus |
2cb460 |
|
|
Roman Rakus |
2cb460 |
Bug-Description:
|
|
Roman Rakus |
2cb460 |
|
|
Roman Rakus |
2cb460 |
The bash getcwd replacement will write past the end of allocated memory
|
|
Roman Rakus |
2cb460 |
when it allocates the buffer itself if it uses the buffer size passed as
|
|
Roman Rakus |
2cb460 |
an argument, and that size is less than the length of the pathname.
|
|
Roman Rakus |
2cb460 |
|
|
Roman Rakus |
2cb460 |
Patch:
|
|
Roman Rakus |
2cb460 |
|
|
Roman Rakus |
2cb460 |
*** ../bash-3.2-patched/lib/sh/getcwd.c 2004-07-21 17:15:19.000000000 -0400
|
|
Roman Rakus |
2cb460 |
--- lib/sh/getcwd.c 2007-12-31 19:26:36.000000000 -0500
|
|
Roman Rakus |
2cb460 |
***************
|
|
Roman Rakus |
2cb460 |
*** 252,268 ****
|
|
Roman Rakus |
2cb460 |
{
|
|
Roman Rakus |
2cb460 |
size_t len = pathbuf + pathsize - pathp;
|
|
Roman Rakus |
2cb460 |
if (buf == NULL)
|
|
Roman Rakus |
2cb460 |
{
|
|
Roman Rakus |
2cb460 |
! if (len < (size_t) size)
|
|
Roman Rakus |
2cb460 |
! len = size;
|
|
Roman Rakus |
2cb460 |
! buf = (char *) malloc (len);
|
|
Roman Rakus |
2cb460 |
if (buf == NULL)
|
|
Roman Rakus |
2cb460 |
goto lose2;
|
|
Roman Rakus |
2cb460 |
}
|
|
Roman Rakus |
2cb460 |
! else if ((size_t) size < len)
|
|
Roman Rakus |
2cb460 |
! {
|
|
Roman Rakus |
2cb460 |
! errno = ERANGE;
|
|
Roman Rakus |
2cb460 |
! goto lose2;
|
|
Roman Rakus |
2cb460 |
! }
|
|
Roman Rakus |
2cb460 |
(void) memcpy((PTR_T) buf, (PTR_T) pathp, len);
|
|
Roman Rakus |
2cb460 |
}
|
|
Roman Rakus |
2cb460 |
--- 287,305 ----
|
|
Roman Rakus |
2cb460 |
{
|
|
Roman Rakus |
2cb460 |
size_t len = pathbuf + pathsize - pathp;
|
|
Roman Rakus |
2cb460 |
+ if (buf == NULL && size <= 0)
|
|
Roman Rakus |
2cb460 |
+ size = len;
|
|
Roman Rakus |
2cb460 |
+
|
|
Roman Rakus |
2cb460 |
+ if ((size_t) size < len)
|
|
Roman Rakus |
2cb460 |
+ {
|
|
Roman Rakus |
2cb460 |
+ errno = ERANGE;
|
|
Roman Rakus |
2cb460 |
+ goto lose2;
|
|
Roman Rakus |
2cb460 |
+ }
|
|
Roman Rakus |
2cb460 |
if (buf == NULL)
|
|
Roman Rakus |
2cb460 |
{
|
|
Roman Rakus |
2cb460 |
! buf = (char *) malloc (size);
|
|
Roman Rakus |
2cb460 |
if (buf == NULL)
|
|
Roman Rakus |
2cb460 |
goto lose2;
|
|
Roman Rakus |
2cb460 |
}
|
|
Roman Rakus |
2cb460 |
!
|
|
Roman Rakus |
2cb460 |
(void) memcpy((PTR_T) buf, (PTR_T) pathp, len);
|
|
Roman Rakus |
2cb460 |
}
|
|
Roman Rakus |
2cb460 |
*** ../bash-3.2/patchlevel.h Thu Apr 13 08:31:04 2006
|
|
Roman Rakus |
2cb460 |
--- patchlevel.h Mon Oct 16 14:22:54 2006
|
|
Roman Rakus |
2cb460 |
***************
|
|
Roman Rakus |
2cb460 |
*** 26,30 ****
|
|
Roman Rakus |
2cb460 |
looks for to find the patch level (for the sccs version string). */
|
|
Roman Rakus |
2cb460 |
|
|
Roman Rakus |
2cb460 |
! #define PATCHLEVEL 33
|
|
Roman Rakus |
2cb460 |
|
|
Roman Rakus |
2cb460 |
#endif /* _PATCHLEVEL_H_ */
|
|
Roman Rakus |
2cb460 |
--- 26,30 ----
|
|
Roman Rakus |
2cb460 |
looks for to find the patch level (for the sccs version string). */
|
|
Roman Rakus |
2cb460 |
|
|
Roman Rakus |
2cb460 |
! #define PATCHLEVEL 34
|
|
Roman Rakus |
2cb460 |
|
|
Roman Rakus |
2cb460 |
#endif /* _PATCHLEVEL_H_ */
|