From owner-freebsd-current@FreeBSD.ORG Tue Jul 15 20:46:05 2008 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B91211065674 for ; Tue, 15 Jul 2008 20:46:05 +0000 (UTC) (envelope-from stefan@fafoe.narf.at) Received: from viefep33-int.chello.at (viefep18-int.chello.at [213.46.255.22]) by mx1.freebsd.org (Postfix) with ESMTP id F04448FC28 for ; Tue, 15 Jul 2008 20:46:04 +0000 (UTC) (envelope-from stefan@fafoe.narf.at) Received: from lizard.fafoe.narf.at ([213.47.85.26]) by viefep32-int.chello.at (InterMail vM.7.08.02.02 201-2186-121-104-20070414) with ESMTP id <20080715202912.FOTS10340.viefep32-int.chello.at@lizard.fafoe.narf.at>; Tue, 15 Jul 2008 22:29:12 +0200 Received: by lizard.fafoe.narf.at (Postfix, from userid 1001) id 926B9BB64; Tue, 15 Jul 2008 22:28:52 +0200 (CEST) Date: Tue, 15 Jul 2008 22:28:52 +0200 From: Stefan Farfeleder To: "Simon L. Nielsen" Message-ID: <20080715202852.GB1366@lizard.fafoe.narf.at> Mail-Followup-To: "Simon L. Nielsen" , freebsd-current@freebsd.org References: <20080713230635.GC15766@zaphod.nitro.dk> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="sdtB3X0nJg68CQEu" Content-Disposition: inline In-Reply-To: <20080713230635.GC15766@zaphod.nitro.dk> User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-current@freebsd.org Subject: Re: [patch] segfault in sh for bogus redirection X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jul 2008 20:46:05 -0000 --sdtB3X0nJg68CQEu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Jul 14, 2008 at 01:06:35AM +0200, Simon L. Nielsen wrote: > Hey Stefan (and other people familiar with the sh(1) code), > > I stumbled on a corner case bug in sh(1) where it segfaults instead of > giving a proper error message. This only happens when you do > something stupid, but I thought it should be fixed anyway. > > When you redirect to an unset or empty variable things fail: > > $ sh -c 'echo 1 >&$a' > Segmentation fault (core dumped) > > With patch: > > $ sh -c 'echo 1 >&$a' > Syntax error: Bad fd number > > I have made a patch which fixes the issue (attached) so it fails > normally with an error, but I'm not sure if it's the right way of > fixing it. Do you think this fix is OK, or is there a better way to > do this? > > I also included a regression test to check for the problem. Hi, I don't think your patch is correct. The value of 'fn.list->text' is not properly initialised in eval.c:441 and only NULL by chance. Try this patch instead. I still need to test it properly though. --sdtB3X0nJg68CQEu Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="redir.diff" Index: eval.c =================================================================== --- eval.c (revision 180476) +++ eval.c (working copy) @@ -437,7 +437,7 @@ case NFROMFD: case NTOFD: if (redir->ndup.vname) { - expandarg(redir->ndup.vname, &fn, EXP_FULL | EXP_TILDE); + expandarg(redir->ndup.vname, &fn, EXP_TILDE | EXP_REDIR); fixredir(redir, fn.list->text, 1); } break; --sdtB3X0nJg68CQEu--