Bugtraq mailing list archives
Buffer overflow in BASH
From: wojtek () ROUTER ELZAB COM PL (Wojciech Purczynski)
Date: Mon, 19 Apr 1999 11:40:27 +0200
Some days ago I foudn a buffer overflow in BASH. BASH wrongly allocates memory for lines read from redirected standard input. If you use CMD << _EOF_WORD_ operator to redirect standard input BASH will read following lines from the command input (either tty or shell script) into dynamically allocated memory until it encounters _EOF_WORD_. The BASH allocates only 1000 bytes for first line regardless of line length. I looked at the source code and this is what I found in 'make_cmd.c': if (len + document_index >= document_size) { document_size = document_size ? 2 * (document_size + len) : 1000; /* XXX */ document = xrealloc (document, document_size); } So, if we type a line longer than 1000 characters the BASH will exit with a reason like 'Segmentation fault (core dumped)' (it's my favorite :) ). Here is an example script: --- start of test.sh --- #!/bin/bash cat << _EOF_ _here_should_be_line_longer_than_1000_bytes________ _EOF_ --- end of test.sh --- I have a question to the authors of BASH: What does '/* XXX */' mean? It's not my remark! Fix: Just replace '1000' with '1000+len' and everything should be OK. Patch: --- start of bash-1.14.7-redir.patch --- --- make_cmd.c Fri Jul 1 01:15:03 1994 +++ make_cmd.c.redir Mon Apr 5 22:33:43 1999 @@ -424,7 +424,7 @@ if (len + document_index >= document_size) { document_size = document_size ? 2 * (document_size + len) - : 1000; /* XXX */ + : 1000+len; /* much better,huh? */ document = xrealloc (document, document_size); } --- start of bash-1.14.7-redir.patch --- I think that all versions up to 1.14.7 have this bug but I have no time to check it. Vooyec <wojtek () elzab com pl>
Current thread:
- Re: Large size file and Midnight/bug in crontab with this file Mixter (Apr 15)
- PATCH: Fix for linux 2.0.x -ve truncation problem Chris Wedgwood (Apr 18)
- Re: PATCH: Fix for linux 2.0.x -ve truncation problem Chris Wedgwood (Apr 18)
- new syslogd exploits? Ry Jones (Apr 18)
- Buffer overflow in BASH Wojciech Purczynski (Apr 19)
- Re: Buffer overflow in BASH Chet Ramey (Apr 19)
- PATCH: Fix for linux 2.0.x -ve truncation problem Chris Wedgwood (Apr 18)