[10278] in bugtraq
Re: Buffer overflow in BASH
daemon@ATHENA.MIT.EDU (Chet Ramey)
Tue Apr 20 14:10:18 1999
Date: Mon, 19 Apr 1999 16:59:24 -0400
Reply-To: chet@po.CWRU.Edu
From: Chet Ramey <chet@NIKE.INS.CWRU.EDU>
X-To: wojtek@ROUTER.ELZAB.COM.PL
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Message from wojtek@ROUTER.ELZAB.COM.PL of Mon, 19 Apr 1999
11:40:27 +0200 (id
<Pine.LNX.4.04.9904191137470.3051-100000@router.elzab.com.pl>)
> BASH wrongly allocates memory for lines read from redirected
> standard input. If you use CMD << _EOF_WORD_ operator to
> redirect standard input BASH will read following lines from
> the command input (either tty or shell script) into
> dynamically allocated memory until it encounters _EOF_WORD_.
> The BASH allocates only 1000 bytes for first line regardless
> of line length. I looked at the source code and this is what I
> found in 'make_cmd.c':
>
> if (len + document_index >= document_size)
> {
> document_size = document_size ? 2 * (document_size + len)
> : 1000; /* XXX */
> document = xrealloc (document, document_size);
> }
This was fixed a long time ago, with bash-2.02.1 for sure, which was
released almost a year ago.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
( ``Discere est Dolere'' -- chet)
Chet Ramey, Case Western Reserve University Internet: chet@po.CWRU.Edu
