From owner-freebsd-bugs  Wed Jan  1 11:50:14 2003
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CF82237B407
	for <freebsd-bugs@hub.freebsd.org>; Wed,  1 Jan 2003 11:50:11 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EC26243ED8
	for <freebsd-bugs@hub.freebsd.org>; Wed,  1 Jan 2003 11:50:09 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h01Jo9NS025289
	for <freebsd-bugs@freefall.freebsd.org>; Wed, 1 Jan 2003 11:50:09 -0800 (PST)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h01Jo9Pr025280;
	Wed, 1 Jan 2003 11:50:09 -0800 (PST)
Date: Wed, 1 Jan 2003 11:50:09 -0800 (PST)
Message-Id: <200301011950.h01Jo9Pr025280@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
Cc: 
From: Ceri Davies <ceri@FreeBSD.org>
Subject: Re: bin/46533: Inadequate validity checking on args to tcsh builtin 'kill'
Reply-To: Ceri Davies <ceri@FreeBSD.org>
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org

The following reply was made to PR bin/46533; it has been noted by GNATS.

From: Ceri Davies <ceri@FreeBSD.org>
To: FreeBSD Gnats Submit <freebsd-gnats-submit@FreeBSD.org>
Cc:  
Subject: Re: bin/46533: Inadequate validity checking on args to tcsh builtin 'kill'
Date: Wed, 1 Jan 2003 19:49:00 +0000

 Adding to audit trail; obtained from misfiled PR 46542:
 
 On Thu, Dec 26, 2002 at 06:48:51AM -0500, Christos Zoulas wrote:
 >  On Dec 26,  3:40pm, peterjeremy@optushome.com.au (Peter Jeremy) wrote:
 >  -- Subject: Inadequate validity checking on args to tcsh builtin 'kill'
 >  
 >  Thanks, I'll put it in.
 >  
 >  christos
 >  
 >  | 
 >  | >Submitter-Id:	current-users
 >  | >Originator:	Peter Jeremy
 >  | >Organization:	n/a
 >  | >Confidential:	no 
 >  | >Synopsis:	Inadequate validity checking on args to tcsh builtin 'kill'
 >  | >Severity:	serious
 >  | >Priority:	low
 >  | >Category:	bin
 >  | >Class:		sw-bug
 >  | >Release:	FreeBSD 4.7-PRERELEASE i386
 >  | >Environment:
 >  | System: FreeBSD server.c18609.belrs1.nsw.optusnet.com.au 4.7-PRERELEASE FreeBSD 4.7-PRERELEASE #4: Sat Sep 14 15:07:16 EST 2002 root@server.c18609.belrs1.nsw.optusnet.com.au:/usr/obj/usr/src/sys/server i386
 >  | 
 >  | tcsh: $Id: sh.proc.c,v 3.76 2002/03/08 17:36:46 christos Exp $
 >  | 
 >  | >Description:
 >  | 	The `kill' builtin in tcsh uses atoi(3) to parse numeric arguments
 >  | 	(pids or signals).  As long as an argument begins with a digit,
 >  | 	it is treated as a valid number, even if it contains non-numeric
 >  | 	characters.  This bug does not exist in /bin/kill or zsh.
 >  | >How-To-Repeat:
 >  | 	I found the bug when I accidently entered
 >  | 	# kill 1q5808
 >  | 	as root and found my remote shell (and the entire system) died.
 >  | >Fix:
 >  | Index: sh.proc.c
 >  | ===================================================================
 >  | RCS file: /usr/ncvs/src/contrib/tcsh/sh.proc.c,v
 >  | retrieving revision 1.1.1.1.2.4
 >  | diff -u -r1.1.1.1.2.4 sh.proc.c
 >  | --- sh.proc.c	10 Aug 2002 18:14:45 -0000	1.1.1.1.2.4
 >  | +++ sh.proc.c	26 Dec 2002 04:25:36 -0000
 >  | @@ -1536,6 +1536,7 @@
 >  |      register int signum, len = 0;
 >  |      register char *name;
 >  |      Char *sigptr;
 >  | +    char *ep;
 >  |      extern int T_Cols;
 >  |      extern int nsig;
 >  |  
 >  | @@ -1566,8 +1567,8 @@
 >  |   	    }
 >  |   	}
 >  |   	if (Isdigit(*sigptr)) {
 >  | - 	    signum = atoi(short2str(sigptr));
 >  | -	    if (signum < 0 || signum > (MAXSIG-1))
 >  | + 	    signum = strtol(short2str(sigptr), &ep, 10);
 >  | +	    if (signum < 0 || signum > (MAXSIG-1) || *ep)
 >  |  		stderror(ERR_NAME | ERR_BADSIG);
 >  |  	}
 >  |  	else {
 >  | @@ -1598,6 +1599,7 @@
 >  |      sigmask_t omask;
 >  |  #endif /* BSDSIGS */
 >  |      Char   *cp, **vp;
 >  | +    char   *ep;
 >  |  
 >  |  #ifdef BSDSIGS
 >  |      omask = sigmask(SIGCHLD);
 >  | @@ -1678,11 +1680,16 @@
 >  |  	    stderror(ERR_NAME | ERR_JOBARGS);
 >  |  	else {
 >  |  #ifndef WINNT_NATIVE
 >  | -	    pid = atoi(short2str(cp));
 >  | +	    pid = strtol(short2str(cp), &ep, 10);
 >  |  #else
 >  | -		pid = strtoul(short2str(cp),NULL,0);
 >  | +		pid = strtoul(short2str(cp),&ep,0);
 >  |  #endif /* WINNT_NATIVE */
 >  | -	    if (kill(pid, signum) < 0) {
 >  | +	    if (*ep) {
 >  | +		xprintf("%S: Badly formed number\n", cp);
 >  | +		err1++;
 >  | +		goto cont;
 >  | +	    }
 >  | +	    else if (kill(pid, signum) < 0) {
 >  |  		xprintf("%d: %s\n", pid, strerror(errno));
 >  |  		err1++;
 >  |  		goto cont;
 >  -- End of excerpt from Peter Jeremy

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message