Bugtraq mailing list archives

Re: Buffer overflow in bash 1.14.7(1)

From: michael () STUD UNI-HANNOVER DE (Michael Riepe)
Date: Sat, 5 Sep 1998 16:31:03 +0200


--lrZ03NoBR/3+SXJZ
Content-Type: text/plain; charset=us-ascii

On Fri, Sep 04, 1998 at 04:09:28PM +0000, Joao Manuel Carolino wrote:

If you cd in to a directory which has a path name larger than 1024 bytes
and you have '\w' included in your PS1 environment variable (which makes
the path to the current working directory appear in each command line
prompt), a buffer overflow will occur.
The following was tested on my machine, running Slackware 3.5:

einstein:~# gdb bash

[...]

Setting PS1 to any long string will have the same effect.
This is a bug in libreadline (more precisely, in rl_redisplay() in
.../lib/readline/display.c), and it is still present in bash-2.02.1.
AFAIK, it has been reported to the maintainer several weeks ago.

--
 Michael "Tired" Riepe <Michael.Riepe () stud uni-hannover de>
 "All I wanna do is have a little fun before I die"

--lrZ03NoBR/3+SXJZ
Content-Type: text/plain; charset=us-ascii
Content-Description: fix for readline line buffer overflow
Content-Disposition: attachment; filename="bash-2.02.1-fix.diff"

diff -ru bash-2.02.1.orig/lib/readline/display.c bash-2.02.1/lib/readline/display.c
--- bash-2.02.1.orig/lib/readline/display.c     Sat Sep  5 14:51:29 1998
+++ bash-2.02.1/lib/readline/display.c  Sat Sep  5 15:08:57 1998
@@ -307,6 +307,20 @@
     }
 }

+static void
+_rl_extend_buffers (int max_size)
+{
+  if (max_size >= line_size)
+    {
+      while (max_size >= line_size)
+       {
+         line_size *= 2;
+       }
+      visible_line = xrealloc (visible_line, line_size);
+      invisible_line = xrealloc (invisible_line, line_size);
+    }
+}
+
 /* Basic redisplay algorithm. */
 void
 rl_redisplay ()
@@ -373,6 +387,8 @@

       if (local_len > 0)
        {
+         _rl_extend_buffers(out + local_len);
+         line = invisible_line;
          strncpy (line + out, local_prompt, local_len);
          out += local_len;
        }
@@ -399,6 +415,8 @@
        }

       pmtlen = strlen (prompt_this_line);
+      _rl_extend_buffers(out + pmtlen);
+      line = invisible_line;
       strncpy (line + out,  prompt_this_line, pmtlen);
       out += pmtlen;
       line[out] = '\0';
@@ -440,13 +458,8 @@
     {
       c = (unsigned char)rl_line_buffer[in];

-      if (out + 8 >= line_size)                /* XXX - 8 for \t */
-       {
-         line_size *= 2;
-         visible_line = xrealloc (visible_line, line_size);
-         invisible_line = xrealloc (invisible_line, line_size);
-         line = invisible_line;
-       }
+      _rl_extend_buffers(out + 8);     /* XXX - 8 for \t */
+      line = invisible_line;

       if (in == rl_point)
        {

--lrZ03NoBR/3+SXJZ--

Current thread:

Buffer overflow in bash 1.14.7(1) Joao Manuel Carolino (Sep 04)
- Re: Buffer overflow in bash 1.14.7(1) Michael Riepe (Sep 05)
- Re: Buffer overflow in bash 1.14.7(1) Wichert Akkerman (Sep 05)
  - Re: Buffer overflow in bash 1.14.7(1) Chet Ramey (Sep 08)
- sshd exploit? Navindra Umanee (Sep 05)
  - Re: sshd exploit? Seth David Schoen (Sep 06)
  - Reading read-protected devices in *BSD Hubert Feyrer (Sep 06)
    - Re: Reading read-protected devices in *BSD Todd C. Miller (Sep 06)
    - Re: Reading read-protected devices in *BSD Eivind Eklund (Sep 06)
- Another way to crash HP 5M/5N printers bwoodard () CISCO COM (Sep 05)
- Windows File Share Scanner ZyklonB Zombie (Sep 05)
- Re: Buffer overflow in bash 1.14.7(1) Fiji (Sep 10)

(Thread continues...)