From owner-freebsd-bugs Wed Dec 11 17:50: 7 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9DB4D37B404 for ; Wed, 11 Dec 2002 17:50:03 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FE0F43E4A for ; Wed, 11 Dec 2002 17:50:02 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id gBC1o1x3074918 for ; Wed, 11 Dec 2002 17:50:01 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id gBC1o1Vn074917; Wed, 11 Dec 2002 17:50:01 -0800 (PST) Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A557037B401 for ; Wed, 11 Dec 2002 17:49:23 -0800 (PST) Received: from fafoe.dyndns.org (chello212186121237.14.vie.surfer.at [212.186.121.237]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1394E43ED1 for ; Wed, 11 Dec 2002 17:49:23 -0800 (PST) (envelope-from stefan@fafoe.dyndns.org) Received: from frog.fafoe (frog.fafoe [192.168.2.101]) by fafoe.dyndns.org (Postfix) with ESMTP id 3388A40AA; Thu, 12 Dec 2002 02:49:16 +0100 (CET) Received: by frog.fafoe (Postfix, from userid 1001) id CF16A78A; Thu, 12 Dec 2002 02:49:15 +0100 (CET) Message-Id: <20021212014915.CF16A78A@frog.fafoe> Date: Thu, 12 Dec 2002 02:49:15 +0100 (CET) From: Stefan Farfeleder Reply-To: Stefan Farfeleder To: FreeBSD-gnats-submit@FreeBSD.org Cc: e0026813@stud3.tuwien.ac.at X-Send-Pr-Version: 3.113 Subject: bin/46203: [patch] make(1) missing trailing '\0' and accessing junk memory if '$' is at the end of line Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 46203 >Category: bin >Synopsis: [patch] make(1) missing trailing '\0' and accessing junk memory if '$' is at the end of line >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Dec 11 17:50:01 PST 2002 >Closed-Date: >Last-Modified: >Originator: Stefan Farfeleder >Release: FreeBSD 5.0-RC i386 >Organization: >Environment: System: FreeBSD frog.fafoe 5.0-RC FreeBSD 5.0-RC #5: Tue Dec 10 19:18:00 CET 2002 freebsd@frog.fafoe:/freebsd/current/obj/freebsd/current/src/sys/FROG i386 >Description: The function Var_Subst() goes through every character in its argument `str' and calls Var_Parse() if it finds a '$'. The latter function stores the number of characters occupied by the '$' and the variable name into *lengthPtr, which is then added to `str' in Var_Subst(). However, if Var_Parse() fails to parse the variable name after the '$', *lengthPtr is always assigned the value 2. This causes `str' to be pointing one behind the terminating '\0' if the '$' is immediately followed by the '\0'. IOW, before var.c:1759 is executed, str == "$" and length == 2, afterwards str is pointing to garbage. >How-To-Repeat: If no '\0' is in the memory owned by make following `str', a segmentation fault will occur. >Fix: I'm fixing things inside Var_Parse() because it seems to be cleaner to set length to 1 if str == "$" than to deal with it in Var_Subst(). [patch survived a buildworld] --- make.diff begins here --- Index: src/usr.bin/make/var.c =================================================================== RCS file: /usr/home/ncvs/src/usr.bin/make/var.c,v retrieving revision 1.40 diff -u -c -r1.40 var.c *** src/usr.bin/make/var.c 8 Nov 2002 16:59:11 -0000 1.40 --- src/usr.bin/make/var.c 12 Dec 2002 00:23:10 -0000 *************** *** 801,807 **** * The (possibly-modified) value of the variable or var_Error if the * specification is invalid. The length of the specification is * placed in *lengthPtr (for invalid specifications, this is just ! * 2...?). * A Boolean in *freePtr telling whether the returned string should * be freed by the caller. * --- 801,808 ---- * The (possibly-modified) value of the variable or var_Error if the * specification is invalid. The length of the specification is * placed in *lengthPtr (for invalid specifications, this is just ! * 2 to skip the '$' and the following letter, or 1 if '$' was the ! * last character in the string). * A Boolean in *freePtr telling whether the returned string should * be freed by the caller. * *************** *** 850,856 **** v = VarFind (name, ctxt, FIND_ENV | FIND_GLOBAL | FIND_CMD); if (v == (Var *)NULL) { ! *lengthPtr = 2; if ((ctxt == VAR_CMD) || (ctxt == VAR_GLOBAL)) { /* --- 851,860 ---- v = VarFind (name, ctxt, FIND_ENV | FIND_GLOBAL | FIND_CMD); if (v == (Var *)NULL) { ! if (str[1] != '\0') ! *lengthPtr = 2; ! else ! *lengthPtr = 1; if ((ctxt == VAR_CMD) || (ctxt == VAR_GLOBAL)) { /* --- make.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message