diff options
| author | Denys Vlasenko <vda.linux@googlemail.com> | 2016-09-25 21:24:04 +0200 |
|---|---|---|
| committer | Denys Vlasenko <vda.linux@googlemail.com> | 2016-09-25 21:24:04 +0200 |
| commit | 557482c1cbeacaeb24247738b09983a0736d407a (patch) | |
| tree | eee94ae5b14767cd4bdb85b92512dbdc9d5b4fcc /shell/ash.c | |
| parent | 13f20919b2477230063bb940396bef51b463d6df (diff) | |
| download | busybox-w32-557482c1cbeacaeb24247738b09983a0736d407a.tar.gz busybox-w32-557482c1cbeacaeb24247738b09983a0736d407a.tar.bz2 busybox-w32-557482c1cbeacaeb24247738b09983a0736d407a.zip | |
ash: in heredoc code, fix access past the end of allocated memory. Closes 9276
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Diffstat (limited to 'shell/ash.c')
| -rw-r--r-- | shell/ash.c | 32 |
1 files changed, 18 insertions, 14 deletions
diff --git a/shell/ash.c b/shell/ash.c index 578b3dc22..a113ff155 100644 --- a/shell/ash.c +++ b/shell/ash.c | |||
| @@ -5112,8 +5112,26 @@ openredirect(union node *redir) | |||
| 5112 | char *fname; | 5112 | char *fname; |
| 5113 | int f; | 5113 | int f; |
| 5114 | 5114 | ||
| 5115 | switch (redir->nfile.type) { | ||
| 5116 | /* Can't happen, our single caller does this itself */ | ||
| 5117 | // case NTOFD: | ||
| 5118 | // case NFROMFD: | ||
| 5119 | // return -1; | ||
| 5120 | case NHERE: | ||
| 5121 | case NXHERE: | ||
| 5122 | return openhere(redir); | ||
| 5123 | } | ||
| 5124 | |||
| 5125 | /* For N[X]HERE, reading redir->nfile.expfname would touch beyond | ||
| 5126 | * allocated space. Do it only when we know it is safe. | ||
| 5127 | */ | ||
| 5115 | fname = redir->nfile.expfname; | 5128 | fname = redir->nfile.expfname; |
| 5129 | |||
| 5116 | switch (redir->nfile.type) { | 5130 | switch (redir->nfile.type) { |
| 5131 | default: | ||
| 5132 | #if DEBUG | ||
| 5133 | abort(); | ||
| 5134 | #endif | ||
| 5117 | case NFROM: | 5135 | case NFROM: |
| 5118 | f = open(fname, O_RDONLY); | 5136 | f = open(fname, O_RDONLY); |
| 5119 | if (f < 0) | 5137 | if (f < 0) |
| @@ -5146,20 +5164,6 @@ openredirect(union node *redir) | |||
| 5146 | if (f < 0) | 5164 | if (f < 0) |
| 5147 | goto ecreate; | 5165 | goto ecreate; |
| 5148 | break; | 5166 | break; |
| 5149 | default: | ||
| 5150 | #if DEBUG | ||
| 5151 | abort(); | ||
| 5152 | #endif | ||
| 5153 | /* Fall through to eliminate warning. */ | ||
| 5154 | /* Our single caller does this itself */ | ||
| 5155 | // case NTOFD: | ||
| 5156 | // case NFROMFD: | ||
| 5157 | // f = -1; | ||
| 5158 | // break; | ||
| 5159 | case NHERE: | ||
| 5160 | case NXHERE: | ||
| 5161 | f = openhere(redir); | ||
| 5162 | break; | ||
| 5163 | } | 5167 | } |
| 5164 | 5168 | ||
| 5165 | return f; | 5169 | return f; |