Date: Thu, 26 Dec 2002 15:40:20 +1100 (EST) From: Peter Jeremy <peterjeremy@optushome.com.au> To: FreeBSD-gnats-submit@FreeBSD.org, christos@zoulas.com Subject: bin/46533: Inadequate validity checking on args to tcsh builtin 'kill' Message-ID: <200212260440.gBQ4eKUa064588@server.c18609.belrs1.nsw.optusnet.com.au>
next in thread | raw e-mail | index | archive | help
>Number: 46533
>Category: bin
>Synopsis: Inadequate validity checking on args to tcsh builtin 'kill'
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Dec 25 20:50:01 PST 2002
>Closed-Date:
>Last-Modified:
>Originator: Peter Jeremy
>Release: FreeBSD 4.7-PRERELEASE i386
>Organization:
n/a
>Environment:
System: FreeBSD server.c18609.belrs1.nsw.optusnet.com.au 4.7-PRERELEASE FreeBSD 4.7-PRERELEASE #4: Sat Sep 14 15:07:16 EST 2002 root@server.c18609.belrs1.nsw.optusnet.com.au:/usr/obj/usr/src/sys/server i386
tcsh: $Id: sh.proc.c,v 3.76 2002/03/08 17:36:46 christos Exp $
>Description:
The `kill' builtin in tcsh uses atoi(3) to parse numeric arguments
(pids or signals). As long as an argument begins with a digit,
it is treated as a valid number, even if it contains non-numeric
characters. This bug does not exist in /bin/kill or zsh.
>How-To-Repeat:
I found the bug when I accidently entered
# kill 1q5808
as root and found my remote shell (and the entire system) died.
>Fix:
Index: sh.proc.c
===================================================================
RCS file: /usr/ncvs/src/contrib/tcsh/sh.proc.c,v
retrieving revision 1.1.1.1.2.4
diff -u -r1.1.1.1.2.4 sh.proc.c
--- sh.proc.c 10 Aug 2002 18:14:45 -0000 1.1.1.1.2.4
+++ sh.proc.c 26 Dec 2002 04:25:36 -0000
@@ -1536,6 +1536,7 @@
register int signum, len = 0;
register char *name;
Char *sigptr;
+ char *ep;
extern int T_Cols;
extern int nsig;
@@ -1566,8 +1567,8 @@
}
}
if (Isdigit(*sigptr)) {
- signum = atoi(short2str(sigptr));
- if (signum < 0 || signum > (MAXSIG-1))
+ signum = strtol(short2str(sigptr), &ep, 10);
+ if (signum < 0 || signum > (MAXSIG-1) || *ep)
stderror(ERR_NAME | ERR_BADSIG);
}
else {
@@ -1598,6 +1599,7 @@
sigmask_t omask;
#endif /* BSDSIGS */
Char *cp, **vp;
+ char *ep;
#ifdef BSDSIGS
omask = sigmask(SIGCHLD);
@@ -1678,11 +1680,16 @@
stderror(ERR_NAME | ERR_JOBARGS);
else {
#ifndef WINNT_NATIVE
- pid = atoi(short2str(cp));
+ pid = strtol(short2str(cp), &ep, 10);
#else
- pid = strtoul(short2str(cp),NULL,0);
+ pid = strtoul(short2str(cp),&ep,0);
#endif /* WINNT_NATIVE */
- if (kill(pid, signum) < 0) {
+ if (*ep) {
+ xprintf("%S: Badly formed number\n", cp);
+ err1++;
+ goto cont;
+ }
+ else if (kill(pid, signum) < 0) {
xprintf("%d: %s\n", pid, strerror(errno));
err1++;
goto cont;
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200212260440.gBQ4eKUa064588>