Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_3

Bugtraq archives for 3rd quarter (Jul-Sep) 1998: Re: Buffer overflow in bash 1.14.7(1)

Re: Buffer overflow in bash 1.14.7(1)

Michael Riepe (michaelSTUD.UNI-HANNOVER.DE)
Sat, 5 Sep 1998 16:31:03 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: bwoodardCISCO.COM: "Another way to crash HP 5M/5N printers"
Previous message: //Stany: "Re: Buffer overflow in bash 1.14.7(1)"
In reply to: Joao Manuel Carolino: "Buffer overflow in bash 1.14.7(1)"
Next in thread: Wichert Akkerman: "Re: Buffer overflow in bash 1.14.7(1)"

--lrZ03NoBR/3+SXJZ
Content-Type: text/plain; charset=us-ascii

On Fri, Sep 04, 1998 at 04:09:28PM +0000, Joao Manuel Carolino wrote:
> If you cd in to a directory which has a path name larger than 1024 bytes
> and you have '\w' included in your PS1 environment variable (which makes
> the path to the current working directory appear in each command line
> prompt), a buffer overflow will occur.
> The following was tested on my machine, running Slackware 3.5:
>
> einstein:~# gdb bash
[...]

Setting PS1 to any long string will have the same effect.
This is a bug in libreadline (more precisely, in rl_redisplay() in
.../lib/readline/display.c), and it is still present in bash-2.02.1.
AFAIK, it has been reported to the maintainer several weeks ago.

--
 Michael "Tired" Riepe <Michael.Riepestud.uni-hannover.de>
 "All I wanna do is have a little fun before I die"

--lrZ03NoBR/3+SXJZ
Content-Type: text/plain; charset=us-ascii
Content-Description: fix for readline line buffer overflow
Content-Disposition: attachment; filename="bash-2.02.1-fix.diff"

diff -ru bash-2.02.1.orig/lib/readline/display.c bash-2.02.1/lib/readline/display.c
--- bash-2.02.1.orig/lib/readline/display.c     Sat Sep  5 14:51:29 1998
+++ bash-2.02.1/lib/readline/display.c  Sat Sep  5 15:08:57 1998
 -307,6 +307,20 
     }
 }

+static void
+_rl_extend_buffers (int max_size)
+{
+  if (max_size >= line_size)
+    {
+      while (max_size >= line_size)
+       {
+         line_size *= 2;
+       }
+      visible_line = xrealloc (visible_line, line_size);
+      invisible_line = xrealloc (invisible_line, line_size);
+    }
+}
+
 /* Basic redisplay algorithm. */
 void
 rl_redisplay ()
 -373,6 +387,8 

       if (local_len > 0)
        {
+         _rl_extend_buffers(out + local_len);
+         line = invisible_line;
          strncpy (line + out, local_prompt, local_len);
          out += local_len;
        }
 -399,6 +415,8 
        }

       pmtlen = strlen (prompt_this_line);
+      _rl_extend_buffers(out + pmtlen);
+      line = invisible_line;
       strncpy (line + out,  prompt_this_line, pmtlen);
       out += pmtlen;
       line[out] = '\0';
 -440,13 +458,8 
     {
       c = (unsigned char)rl_line_buffer[in];

-      if (out + 8 >= line_size)                /* XXX - 8 for \t */
-       {
-         line_size *= 2;
-         visible_line = xrealloc (visible_line, line_size);
-         invisible_line = xrealloc (invisible_line, line_size);
-         line = invisible_line;
-       }
+      _rl_extend_buffers(out + 8);     /* XXX - 8 for \t */
+      line = invisible_line;

       if (in == rl_point)
        {

--lrZ03NoBR/3+SXJZ--

Next message: bwoodardCISCO.COM: "Another way to crash HP 5M/5N printers"
Previous message: //Stany: "Re: Buffer overflow in bash 1.14.7(1)"
In reply to: Joao Manuel Carolino: "Buffer overflow in bash 1.14.7(1)"
Next in thread: Wichert Akkerman: "Re: Buffer overflow in bash 1.14.7(1)"