[Bug 10686] New: hush does not terminate on variable substitution with empty pattern
bugzilla at busybox.net
bugzilla at busybox.net
Thu Jan 25 09:32:23 UTC 2018
https://bugs.busybox.net/show_bug.cgi?id=10686
Bug ID: 10686
Summary: hush does not terminate on variable substitution with
empty pattern
Product: Busybox
Version: unspecified
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Other
Assignee: unassigned at busybox.net
Reporter: julian.buening at rwth-aachen.de
CC: busybox-cvs at busybox.net,
daniel.schemmel at comsys.rwth-aachen.de
Target Milestone: ---
Observed behavior:
$ echo -en "echo \${_//}" | ./busybox hush &
[1] 1000
$ jobs
[1]+ Running echo -en "echo \${_//}" | ./busybox hush &
Expected behavior:
$ echo -en "echo \${_//}" | ./busybox hush &
[1] 1000
./busybox
[1]+ Done echo -en "echo \${_//}" | ./busybox hush
When, instead of leaving it empty, a pattern that does not match is provided,
the command works as expected.
We found this behavior in version 1.27.2 and can also reproduce it with busybox
1.28.0 as well as the current master (commit d8fd88a09) compiled with make
defconfig && make.
The function that is called to compute the location of any matches,
strstr_pattern() in hush.c, has the following behavior on an empty pattern: It
computes the size of the match, which is 0, and returns the pointer given to it
as start of the input. This return value is checked by replace_pattern():
while (1) {
int size;
char *s = strstr_pattern(val, pattern, &size);
if (!s)
break;
// ...
val = s + size;
// ...
}
As the return value is not NULL (it points to the same address as val), the
loop is not broken. As the size is zero, the pointer is not advanced, thus
provoking the same behavior of strstr_pattern() as before.
This behavior was found using Symbolic Execution techniques developed in the
course of the SYMBIOSYS research project at COMSYS, RWTH Aachen University.
This research is supported by the European Research Council (ERC) under the
EU's Horizon 2020 Research and Innovation Programme grant agreement n. 647295
(SYMBIOSYS).
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list