* Out-of-bounds access in alias command
@ 2023-01-09 0:02 Harald van Dijk
2023-01-22 15:09 ` Harald van Dijk
0 siblings, 1 reply; 3+ messages in thread
From: Harald van Dijk @ 2023-01-09 0:02 UTC (permalink / raw)
To: DASH shell mailing list
Hi,
Consider
alias ""
In aliascmd(), we have
while ((n = *++argv) != NULL) {
if ((v = strchr(n+1, '=')) == NULL) { /* n+1: funny ksh stuff */
When *n == '\0', the strchr(n+1, '=') searches past the end of the string.
I have not yet been able to construct a test case where this causes
problems, because my attempts have resulted in the memory following this
empty string not containing any = before another null byte appears.
Cheers,
Harald van Dijk
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Out-of-bounds access in alias command
2023-01-09 0:02 Out-of-bounds access in alias command Harald van Dijk
@ 2023-01-22 15:09 ` Harald van Dijk
2024-04-08 4:55 ` [PATCH] alias: Fix out-of-bound access Herbert Xu
0 siblings, 1 reply; 3+ messages in thread
From: Harald van Dijk @ 2023-01-22 15:09 UTC (permalink / raw)
To: DASH shell mailing list
On 09/01/2023 00:02, Harald van Dijk wrote:
> Hi,
>
> Consider
>
> alias ""
>
> In aliascmd(), we have
>
> while ((n = *++argv) != NULL) {
> if ((v = strchr(n+1, '=')) == NULL) { /* n+1: funny ksh stuff */
I had trusted that this "n+1: funny ksh stuff" logic which allows an
alias to start with = was because ksh allows this, but I tested this
now, it does not and I can find no evidence that it ever did. Maybe it
would be good to just remove this exception, or if dash wants to keep
it, document it as an ash extension rather than claim it as a ksh thing?
Cheers,
Harald van Dijk
^ permalink raw reply [flat|nested] 3+ messages in thread* [PATCH] alias: Fix out-of-bound access
2023-01-22 15:09 ` Harald van Dijk
@ 2024-04-08 4:55 ` Herbert Xu
0 siblings, 0 replies; 3+ messages in thread
From: Herbert Xu @ 2024-04-08 4:55 UTC (permalink / raw)
To: Harald van Dijk; +Cc: dash
Harald van Dijk <harald@gigawatt.nl> wrote:
>
> I had trusted that this "n+1: funny ksh stuff" logic which allows an
> alias to start with = was because ksh allows this, but I tested this
> now, it does not and I can find no evidence that it ever did. Maybe it
> would be good to just remove this exception, or if dash wants to keep
> it, document it as an ash extension rather than claim it as a ksh thing?
Thanks. This patch should fix the overrun.
---8<---
Check for empty string before searching for equal sign starting at
n+1 in aliascmd.
Reported-by: Harald van Dijk <harald@gigawatt.nl>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
diff --git a/src/alias.c b/src/alias.c
index fcad43b..cee07e9 100644
--- a/src/alias.c
+++ b/src/alias.c
@@ -143,7 +143,8 @@ aliascmd(int argc, char **argv)
return (0);
}
while ((n = *++argv) != NULL) {
- if ((v = strchr(n+1, '=')) == NULL) { /* n+1: funny ksh stuff */
+ /* n + 1: funny ksh stuff (from 44lite) */
+ if (!*n || !(v = strchr(n + 1, '='))) {
if ((ap = *__lookupalias(n)) == NULL) {
outfmt(out2, "%s: %s not found\n", "alias", n);
ret = 1;
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-04-08 4:54 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-01-09 0:02 Out-of-bounds access in alias command Harald van Dijk
2023-01-22 15:09 ` Harald van Dijk
2024-04-08 4:55 ` [PATCH] alias: Fix out-of-bound access Herbert Xu
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.