[git commit] ash: in heredoc code, fix access past the end of allocated memory. Closes 9276
Denys Vlasenko
vda.linux at googlemail.com
Sun Sep 25 19:24:04 UTC 2016
commit: https://git.busybox.net/busybox/commit/?id=557482c1cbeacaeb24247738b09983a0736d407a
branch: https://git.busybox.net/busybox/commit/?id=refs/heads/master
Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
---
shell/ash.c | 32 ++++++++++++++++++--------------
1 file changed, 18 insertions(+), 14 deletions(-)
diff --git a/shell/ash.c b/shell/ash.c
index 578b3dc..a113ff1 100644
--- a/shell/ash.c
+++ b/shell/ash.c
@@ -5112,8 +5112,26 @@ openredirect(union node *redir)
char *fname;
int f;
+ switch (redir->nfile.type) {
+/* Can't happen, our single caller does this itself */
+// case NTOFD:
+// case NFROMFD:
+// return -1;
+ case NHERE:
+ case NXHERE:
+ return openhere(redir);
+ }
+
+ /* For N[X]HERE, reading redir->nfile.expfname would touch beyond
+ * allocated space. Do it only when we know it is safe.
+ */
fname = redir->nfile.expfname;
+
switch (redir->nfile.type) {
+ default:
+#if DEBUG
+ abort();
+#endif
case NFROM:
f = open(fname, O_RDONLY);
if (f < 0)
@@ -5146,20 +5164,6 @@ openredirect(union node *redir)
if (f < 0)
goto ecreate;
break;
- default:
-#if DEBUG
- abort();
-#endif
- /* Fall through to eliminate warning. */
-/* Our single caller does this itself */
-// case NTOFD:
-// case NFROMFD:
-// f = -1;
-// break;
- case NHERE:
- case NXHERE:
- f = openhere(redir);
- break;
}
return f;
More information about the busybox-cvs
mailing list