Bugtraq mailing list archives
Re: Buffer overflow in BASH
From: chet () NIKE INS CWRU EDU (Chet Ramey)
Date: Mon, 19 Apr 1999 16:59:24 -0400
BASH wrongly allocates memory for lines read from redirected
standard input. If you use CMD << _EOF_WORD_ operator to
redirect standard input BASH will read following lines from
the command input (either tty or shell script) into
dynamically allocated memory until it encounters _EOF_WORD_.
The BASH allocates only 1000 bytes for first line regardless
of line length. I looked at the source code and this is what I
found in 'make_cmd.c':
if (len + document_index >= document_size)
{
document_size = document_size ? 2 * (document_size + len)
: 1000; /* XXX */
document = xrealloc (document, document_size);
}
This was fixed a long time ago, with bash-2.02.1 for sure, which was released almost a year ago. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ( ``Discere est Dolere'' -- chet) Chet Ramey, Case Western Reserve University Internet: chet () po CWRU Edu
Current thread:
- Re: Large size file and Midnight/bug in crontab with this file Mixter (Apr 15)
- PATCH: Fix for linux 2.0.x -ve truncation problem Chris Wedgwood (Apr 18)
- Re: PATCH: Fix for linux 2.0.x -ve truncation problem Chris Wedgwood (Apr 18)
- new syslogd exploits? Ry Jones (Apr 18)
- Buffer overflow in BASH Wojciech Purczynski (Apr 19)
- Re: Buffer overflow in BASH Chet Ramey (Apr 19)
- PATCH: Fix for linux 2.0.x -ve truncation problem Chris Wedgwood (Apr 18)