Date: Wed, 1 Jan 2003 11:50:09 -0800 (PST) From: Ceri Davies <ceri@FreeBSD.org> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/46533: Inadequate validity checking on args to tcsh builtin 'kill' Message-ID: <200301011950.h01Jo9Pr025280@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/46533; it has been noted by GNATS.
From: Ceri Davies <ceri@FreeBSD.org>
To: FreeBSD Gnats Submit <freebsd-gnats-submit@FreeBSD.org>
Cc:
Subject: Re: bin/46533: Inadequate validity checking on args to tcsh builtin 'kill'
Date: Wed, 1 Jan 2003 19:49:00 +0000
Adding to audit trail; obtained from misfiled PR 46542:
On Thu, Dec 26, 2002 at 06:48:51AM -0500, Christos Zoulas wrote:
> On Dec 26, 3:40pm, peterjeremy@optushome.com.au (Peter Jeremy) wrote:
> -- Subject: Inadequate validity checking on args to tcsh builtin 'kill'
>
> Thanks, I'll put it in.
>
> christos
>
> |
> | >Submitter-Id: current-users
> | >Originator: Peter Jeremy
> | >Organization: n/a
> | >Confidential: no
> | >Synopsis: Inadequate validity checking on args to tcsh builtin 'kill'
> | >Severity: serious
> | >Priority: low
> | >Category: bin
> | >Class: sw-bug
> | >Release: FreeBSD 4.7-PRERELEASE i386
> | >Environment:
> | System: FreeBSD server.c18609.belrs1.nsw.optusnet.com.au 4.7-PRERELEASE FreeBSD 4.7-PRERELEASE #4: Sat Sep 14 15:07:16 EST 2002 root@server.c18609.belrs1.nsw.optusnet.com.au:/usr/obj/usr/src/sys/server i386
> |
> | tcsh: $Id: sh.proc.c,v 3.76 2002/03/08 17:36:46 christos Exp $
> |
> | >Description:
> | The `kill' builtin in tcsh uses atoi(3) to parse numeric arguments
> | (pids or signals). As long as an argument begins with a digit,
> | it is treated as a valid number, even if it contains non-numeric
> | characters. This bug does not exist in /bin/kill or zsh.
> | >How-To-Repeat:
> | I found the bug when I accidently entered
> | # kill 1q5808
> | as root and found my remote shell (and the entire system) died.
> | >Fix:
> | Index: sh.proc.c
> | ===================================================================
> | RCS file: /usr/ncvs/src/contrib/tcsh/sh.proc.c,v
> | retrieving revision 1.1.1.1.2.4
> | diff -u -r1.1.1.1.2.4 sh.proc.c
> | --- sh.proc.c 10 Aug 2002 18:14:45 -0000 1.1.1.1.2.4
> | +++ sh.proc.c 26 Dec 2002 04:25:36 -0000
> | @@ -1536,6 +1536,7 @@
> | register int signum, len = 0;
> | register char *name;
> | Char *sigptr;
> | + char *ep;
> | extern int T_Cols;
> | extern int nsig;
> |
> | @@ -1566,8 +1567,8 @@
> | }
> | }
> | if (Isdigit(*sigptr)) {
> | - signum = atoi(short2str(sigptr));
> | - if (signum < 0 || signum > (MAXSIG-1))
> | + signum = strtol(short2str(sigptr), &ep, 10);
> | + if (signum < 0 || signum > (MAXSIG-1) || *ep)
> | stderror(ERR_NAME | ERR_BADSIG);
> | }
> | else {
> | @@ -1598,6 +1599,7 @@
> | sigmask_t omask;
> | #endif /* BSDSIGS */
> | Char *cp, **vp;
> | + char *ep;
> |
> | #ifdef BSDSIGS
> | omask = sigmask(SIGCHLD);
> | @@ -1678,11 +1680,16 @@
> | stderror(ERR_NAME | ERR_JOBARGS);
> | else {
> | #ifndef WINNT_NATIVE
> | - pid = atoi(short2str(cp));
> | + pid = strtol(short2str(cp), &ep, 10);
> | #else
> | - pid = strtoul(short2str(cp),NULL,0);
> | + pid = strtoul(short2str(cp),&ep,0);
> | #endif /* WINNT_NATIVE */
> | - if (kill(pid, signum) < 0) {
> | + if (*ep) {
> | + xprintf("%S: Badly formed number\n", cp);
> | + err1++;
> | + goto cont;
> | + }
> | + else if (kill(pid, signum) < 0) {
> | xprintf("%d: %s\n", pid, strerror(errno));
> | err1++;
> | goto cont;
> -- End of excerpt from Peter Jeremy
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301011950.h01Jo9Pr025280>