Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 14 Jul 2008 01:06:35 +0200
From:      "Simon L. Nielsen" <simon@FreeBSD.org>
To:        Stefan Farfeleder <stefanf@FreeBSD.org>, freebsd-current@freebsd.org
Subject:   [patch] segfault in sh for bogus redirection
Message-ID:  <20080713230635.GC15766@zaphod.nitro.dk>
next in thread | raw e-mail | index | archive | help 

--VbJkn9YxBvnuCH5J
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Hey Stefan (and other people familiar with the sh(1) code),

I stumbled on a corner case bug in sh(1) where it segfaults instead of
giving a proper error message.  This only happens when you do
something stupid, but I thought it should be fixed anyway.

When you redirect to an unset or empty variable things fail:

     $ sh -c 'echo 1 >&$a'
     Segmentation fault (core dumped)

With patch:

     $ sh -c 'echo 1 >&$a'
     Syntax error: Bad fd number

I have made a patch which fixes the issue (attached) so it fails
normally with an error, but I'm not sure if it's the right way of
fixing it.  Do you think this fix is OK, or is there a better way to
do this?

I also included a regression test to check for the problem.

-- 
Simon L. Nielsen

--VbJkn9YxBvnuCH5J
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment; filename="sh-redir-segv-0.patch"

Index: bin/sh/parser.c
===================================================================
--- bin/sh/parser.c	(revision 180502)
+++ bin/sh/parser.c	(working copy)
@@ -620,9 +620,9 @@
 	if (!err)
 		n->ndup.vname = NULL;
 
-	if (is_digit(text[0]) && text[1] == '\0')
+	if (text != NULL && is_digit(text[0]) && text[1] == '\0')
 		n->ndup.dupfd = digit_val(text[0]);
-	else if (text[0] == '-' && text[1] == '\0')
+	else if (text != NULL && text[0] == '-' && text[1] == '\0')
 		n->ndup.dupfd = -1;
 	else {
 
Index: tools/regression/bin/sh/errors/redirection-error.2
===================================================================
--- tools/regression/bin/sh/errors/redirection-error.2	(revision 0)
+++ tools/regression/bin/sh/errors/redirection-error.2	(revision 0)
@@ -0,0 +1,4 @@
+# $FreeBSD$
+
+# sh should fail gracefully on this bad redirect
+sh -c 'echo 1 >&$a' 2>/dev/null

--VbJkn9YxBvnuCH5J--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080713230635.GC15766>