From owner-freebsd-bugs Mon Oct 14 07:00:06 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA28704 for bugs-outgoing; Mon, 14 Oct 1996 07:00:06 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA28691; Mon, 14 Oct 1996 07:00:03 -0700 (PDT) Date: Mon, 14 Oct 1996 07:00:03 -0700 (PDT) Message-Id: <199610141400.HAA28691@freefall.freebsd.org> To: freebsd-bugs Cc: From: Tor Egge Subject: Re: misc/1791: syslimits.h does not allow overriding default value of ARG_MAX Reply-To: Tor Egge Sender: owner-bugs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk The following reply was made to PR misc/1791; it has been noted by GNATS. From: Tor Egge To: bde@zeta.org.au Cc: FreeBSD-gnats-submit@freebsd.org, tegge@itea.ntnu.no Subject: Re: misc/1791: syslimits.h does not allow overriding default value of ARG_MAX Date: Mon, 14 Oct 1996 15:33:36 +0200 > > It is not possible to specify an alternative value of ARG_MAX > > in the kernel config file, since /usr/src/sys/sys/syslimits.h > > defines ARG_MAX even if it was defined. > > This isn't a bug. Defining ARG_MAX in advertises to > applications that ARG_MAX is a constant with the given value. The > only correct way to change it is to change the header and recompile > all applications that depend on it (ps, xargs and who-knows-what > else). > > The best way to fix the problem is to remove the definition of > ARG_MAX from and then fix everything that (bogusly) > depends on it. > Correct. A short grep for ARG_MAX in the non-kernel part of the FreeBSD source tree shows only a few occurences: ./bin/ps/fmt.c: static char buf[ARG_MAX]; /* XXX */ ./contrib/gcc/config/i386/xm-sco.h:/* SCO has a very small ARG_MAX. */ ./contrib/gcc/config/i386/xm-sysv4.h:/* Univel, at least, has a small ARG_MAX. Defining this is harmless ./contrib/gcc/gcc.c: only important to return 0 if the host machine has a small ARG_MAX ./usr.bin/xargs/xargs.c: * POSIX.2 limits the exec line length to ARG_MAX - 2K. Running that ./usr.bin/xargs/xargs.c: * caused some E2BIG errors, so it was changed to ARG_MAX - 4K. Given ./usr.bin/xargs/xargs.c: * (ARG_MAX - 4K - LENGTH(utility + arguments)) / 2. ./usr.bin/xargs/xargs.c: nline = ARG_MAX - 4 * 1024; Only the ps and xargs parts are interesting. ps is already broken, e.g. compile this program and run it in the background, then run ps with xwww as arguments while this program is still running. Immediate buffer overflow in shquote due to the buffer being only ARG_MAX in size, instead of 4*ARG_MAX+1. #include #include #include #include int main(int argc,char **argv) { char arg[30000]; char arg2[600000]; strcpy(arg,"sleep 10 # "); memset(arg+strlen(arg),'\201',sizeof(arg)-strlen(arg)); arg[sizeof(arg)-1]=0; strvis(arg2,arg,VIS_NL | VIS_CSTYLE); printf("len is %d\n",strlen(arg2)); execl("/bin/sh","sh","-c",arg,0); printf("FAILED, errno=%d\n",errno); } xargs having a too low (i.e. too conservative) value for ARG_MAX does not normally cause any problems. It only reduces performance. - Tor Egge