From owner-freebsd-bugs  Wed Dec 25 20:50: 6 2002
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3195537B401
	for <freebsd-bugs@hub.freebsd.org>; Wed, 25 Dec 2002 20:50:03 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7D49B43E4A
	for <freebsd-bugs@hub.freebsd.org>; Wed, 25 Dec 2002 20:50:02 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id gBQ4o1NS056598
	for <freebsd-bugs@freefall.freebsd.org>; Wed, 25 Dec 2002 20:50:01 -0800 (PST)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.6/8.12.6/Submit) id gBQ4o18R056597;
	Wed, 25 Dec 2002 20:50:01 -0800 (PST)
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CF57837B401
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 25 Dec 2002 20:40:31 -0800 (PST)
Received: from c18609.belrs1.nsw.optusnet.com.au (c18609.belrs1.nsw.optusnet.com.au [210.49.80.204])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6C61A43ED1
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 25 Dec 2002 20:40:30 -0800 (PST)
	(envelope-from peterjeremy@optushome.com.au)
Received: from server.c18609.belrs1.nsw.optusnet.com.au (localhost.c18609.belrs1.nsw.optusnet.com.au [127.0.0.1])
	by server.c18609.belrs1.nsw.optusnet.com.au (8.12.6/8.12.6) with ESMTP id gBQ4eMhk064589;
	Thu, 26 Dec 2002 15:40:22 +1100 (EST)
	(envelope-from peter@server.c18609.belrs1.nsw.optusnet.com.au)
Received: (from peter@localhost)
	by server.c18609.belrs1.nsw.optusnet.com.au (8.12.6/8.12.6/Submit) id gBQ4eKUa064588;
	Thu, 26 Dec 2002 15:40:20 +1100 (EST)
Message-Id: <200212260440.gBQ4eKUa064588@server.c18609.belrs1.nsw.optusnet.com.au>
Date: Thu, 26 Dec 2002 15:40:20 +1100 (EST)
From: Peter Jeremy <peterjeremy@optushome.com.au>
Reply-To: Peter Jeremy <peterjeremy@optushome.com.au>
To: FreeBSD-gnats-submit@FreeBSD.org, christos@zoulas.com
X-Send-Pr-Version: 3.113
Subject: bin/46533: Inadequate validity checking on args to tcsh builtin 'kill'
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         46533
>Category:       bin
>Synopsis:       Inadequate validity checking on args to tcsh builtin 'kill'
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Dec 25 20:50:01 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     Peter Jeremy
>Release:        FreeBSD 4.7-PRERELEASE i386
>Organization:
n/a
>Environment:
System: FreeBSD server.c18609.belrs1.nsw.optusnet.com.au 4.7-PRERELEASE FreeBSD 4.7-PRERELEASE #4: Sat Sep 14 15:07:16 EST 2002 root@server.c18609.belrs1.nsw.optusnet.com.au:/usr/obj/usr/src/sys/server i386

tcsh: $Id: sh.proc.c,v 3.76 2002/03/08 17:36:46 christos Exp $

>Description:
	The `kill' builtin in tcsh uses atoi(3) to parse numeric arguments
	(pids or signals).  As long as an argument begins with a digit,
	it is treated as a valid number, even if it contains non-numeric
	characters.  This bug does not exist in /bin/kill or zsh.
>How-To-Repeat:
	I found the bug when I accidently entered
	# kill 1q5808
	as root and found my remote shell (and the entire system) died.
>Fix:
Index: sh.proc.c
===================================================================
RCS file: /usr/ncvs/src/contrib/tcsh/sh.proc.c,v
retrieving revision 1.1.1.1.2.4
diff -u -r1.1.1.1.2.4 sh.proc.c
--- sh.proc.c	10 Aug 2002 18:14:45 -0000	1.1.1.1.2.4
+++ sh.proc.c	26 Dec 2002 04:25:36 -0000
@@ -1536,6 +1536,7 @@
     register int signum, len = 0;
     register char *name;
     Char *sigptr;
+    char *ep;
     extern int T_Cols;
     extern int nsig;
 
@@ -1566,8 +1567,8 @@
  	    }
  	}
  	if (Isdigit(*sigptr)) {
- 	    signum = atoi(short2str(sigptr));
-	    if (signum < 0 || signum > (MAXSIG-1))
+ 	    signum = strtol(short2str(sigptr), &ep, 10);
+	    if (signum < 0 || signum > (MAXSIG-1) || *ep)
 		stderror(ERR_NAME | ERR_BADSIG);
 	}
 	else {
@@ -1598,6 +1599,7 @@
     sigmask_t omask;
 #endif /* BSDSIGS */
     Char   *cp, **vp;
+    char   *ep;
 
 #ifdef BSDSIGS
     omask = sigmask(SIGCHLD);
@@ -1678,11 +1680,16 @@
 	    stderror(ERR_NAME | ERR_JOBARGS);
 	else {
 #ifndef WINNT_NATIVE
-	    pid = atoi(short2str(cp));
+	    pid = strtol(short2str(cp), &ep, 10);
 #else
-		pid = strtoul(short2str(cp),NULL,0);
+		pid = strtoul(short2str(cp),&ep,0);
 #endif /* WINNT_NATIVE */
-	    if (kill(pid, signum) < 0) {
+	    if (*ep) {
+		xprintf("%S: Badly formed number\n", cp);
+		err1++;
+		goto cont;
+	    }
+	    else if (kill(pid, signum) < 0) {
 		xprintf("%d: %s\n", pid, strerror(errno));
 		err1++;
 		goto cont;
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message