Date: Thu, 26 Dec 2002 15:40:20 +1100 (EST) From: Peter Jeremy <peterjeremy@optushome.com.au> To: FreeBSD-gnats-submit@FreeBSD.org, christos@zoulas.com Subject: bin/46533: Inadequate validity checking on args to tcsh builtin 'kill' Message-ID: <200212260440.gBQ4eKUa064588@server.c18609.belrs1.nsw.optusnet.com.au>
next in thread | raw e-mail | index | archive | help
>Number: 46533 >Category: bin >Synopsis: Inadequate validity checking on args to tcsh builtin 'kill' >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Dec 25 20:50:01 PST 2002 >Closed-Date: >Last-Modified: >Originator: Peter Jeremy >Release: FreeBSD 4.7-PRERELEASE i386 >Organization: n/a >Environment: System: FreeBSD server.c18609.belrs1.nsw.optusnet.com.au 4.7-PRERELEASE FreeBSD 4.7-PRERELEASE #4: Sat Sep 14 15:07:16 EST 2002 root@server.c18609.belrs1.nsw.optusnet.com.au:/usr/obj/usr/src/sys/server i386 tcsh: $Id: sh.proc.c,v 3.76 2002/03/08 17:36:46 christos Exp $ >Description: The `kill' builtin in tcsh uses atoi(3) to parse numeric arguments (pids or signals). As long as an argument begins with a digit, it is treated as a valid number, even if it contains non-numeric characters. This bug does not exist in /bin/kill or zsh. >How-To-Repeat: I found the bug when I accidently entered # kill 1q5808 as root and found my remote shell (and the entire system) died. >Fix: Index: sh.proc.c =================================================================== RCS file: /usr/ncvs/src/contrib/tcsh/sh.proc.c,v retrieving revision 1.1.1.1.2.4 diff -u -r1.1.1.1.2.4 sh.proc.c --- sh.proc.c 10 Aug 2002 18:14:45 -0000 1.1.1.1.2.4 +++ sh.proc.c 26 Dec 2002 04:25:36 -0000 @@ -1536,6 +1536,7 @@ register int signum, len = 0; register char *name; Char *sigptr; + char *ep; extern int T_Cols; extern int nsig; @@ -1566,8 +1567,8 @@ } } if (Isdigit(*sigptr)) { - signum = atoi(short2str(sigptr)); - if (signum < 0 || signum > (MAXSIG-1)) + signum = strtol(short2str(sigptr), &ep, 10); + if (signum < 0 || signum > (MAXSIG-1) || *ep) stderror(ERR_NAME | ERR_BADSIG); } else { @@ -1598,6 +1599,7 @@ sigmask_t omask; #endif /* BSDSIGS */ Char *cp, **vp; + char *ep; #ifdef BSDSIGS omask = sigmask(SIGCHLD); @@ -1678,11 +1680,16 @@ stderror(ERR_NAME | ERR_JOBARGS); else { #ifndef WINNT_NATIVE - pid = atoi(short2str(cp)); + pid = strtol(short2str(cp), &ep, 10); #else - pid = strtoul(short2str(cp),NULL,0); + pid = strtoul(short2str(cp),&ep,0); #endif /* WINNT_NATIVE */ - if (kill(pid, signum) < 0) { + if (*ep) { + xprintf("%S: Badly formed number\n", cp); + err1++; + goto cont; + } + else if (kill(pid, signum) < 0) { xprintf("%d: %s\n", pid, strerror(errno)); err1++; goto cont; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200212260440.gBQ4eKUa064588>