Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 15 Jul 2008 22:28:52 +0200
From:      Stefan Farfeleder <stefanf@FreeBSD.org>
To:        "Simon L. Nielsen" <simon@FreeBSD.org>
Cc:        freebsd-current@freebsd.org
Subject:   Re: [patch] segfault in sh for bogus redirection
Message-ID:  <20080715202852.GB1366@lizard.fafoe.narf.at>
In-Reply-To: <20080713230635.GC15766@zaphod.nitro.dk>
References:  <20080713230635.GC15766@zaphod.nitro.dk>
next in thread | previous in thread | raw e-mail | index | archive | help 

--sdtB3X0nJg68CQEu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Mon, Jul 14, 2008 at 01:06:35AM +0200, Simon L. Nielsen wrote:
> Hey Stefan (and other people familiar with the sh(1) code),
> 
> I stumbled on a corner case bug in sh(1) where it segfaults instead of
> giving a proper error message.  This only happens when you do
> something stupid, but I thought it should be fixed anyway.
> 
> When you redirect to an unset or empty variable things fail:
> 
>      $ sh -c 'echo 1 >&$a'
>      Segmentation fault (core dumped)
> 
> With patch:
> 
>      $ sh -c 'echo 1 >&$a'
>      Syntax error: Bad fd number
> 
> I have made a patch which fixes the issue (attached) so it fails
> normally with an error, but I'm not sure if it's the right way of
> fixing it.  Do you think this fix is OK, or is there a better way to
> do this?
> 
> I also included a regression test to check for the problem.

Hi,

I don't think your patch is correct.  The value of 'fn.list->text' is
not properly initialised in eval.c:441 and only NULL by chance.  Try
this patch instead.  I still need to test it properly though.

--sdtB3X0nJg68CQEu
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment; filename="redir.diff"

Index: eval.c
===================================================================
--- eval.c	(revision 180476)
+++ eval.c	(working copy)
@@ -437,7 +437,7 @@
 		case NFROMFD:
 		case NTOFD:
 			if (redir->ndup.vname) {
-				expandarg(redir->ndup.vname, &fn, EXP_FULL | EXP_TILDE);
+				expandarg(redir->ndup.vname, &fn, EXP_TILDE | EXP_REDIR);
 				fixredir(redir, fn.list->text, 1);
 			}
 			break;

--sdtB3X0nJg68CQEu--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080715202852.GB1366>