From christos@zoulas.com Thu Dec 26 03:48:53 2002 Return-Path: Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ECA2237B401 for ; Thu, 26 Dec 2002 03:48:53 -0800 (PST) Received: from beowulf.gw.com (beowulf.gw.com [204.80.150.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id C851043E4A for ; Thu, 26 Dec 2002 03:48:52 -0800 (PST) (envelope-from christos@zoulas.com) Received: by beowulf.gw.com (Postfix, from userid 10080) id DCB2C7E4C; Thu, 26 Dec 2002 06:48:51 -0500 (EST) Message-Id: <20021226114851.DCB2C7E4C@beowulf.gw.com> Date: Thu, 26 Dec 2002 06:48:51 -0500 From: christos@zoulas.com (Christos Zoulas) To: Peter Jeremy , FreeBSD-gnats-submit@freebsd.org In-Reply-To: <200212260440.gBQ4eKUa064588@server.c18609.belrs1.nsw.optusnet.com.au> from Peter Jeremy (Dec 26, 3:40pm) Subject: Re: Inadequate validity checking on args to tcsh builtin 'kill' >Number: 46542 >Category: bin >Synopsis: Re: Inadequate validity checking on args to tcsh builtin 'kill' >Confidential: no >Severity: serious >Priority: medium >Responsible: gnats-admin >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Dec 26 03:50:01 PST 2002 >Closed-Date: Wed Jan 01 11:49:37 PST 2003 >Last-Modified: Thu Oct 07 18:00:56 GMT 2004 >Originator: >Release: >Organization: >Environment: >Description: On Dec 26, 3:40pm, peterjeremy@optushome.com.au (Peter Jeremy) wrote: -- Subject: Inadequate validity checking on args to tcsh builtin 'kill' Thanks, I'll put it in. christos | | >Submitter-Id: current-users | >Originator: Peter Jeremy | >Organization: n/a | >Confidential: no | >Synopsis: Inadequate validity checking on args to tcsh builtin 'kill' | >Severity: serious | >Priority: low | >Category: bin | >Class: sw-bug | >Release: FreeBSD 4.7-PRERELEASE i386 | >Environment: | System: FreeBSD server.c18609.belrs1.nsw.optusnet.com.au 4.7-PRERELEASE FreeBSD 4.7-PRERELEASE #4: Sat Sep 14 15:07:16 EST 2002 root@server.c18609.belrs1.nsw.optusnet.com.au:/usr/obj/usr/src/sys/server i386 | | tcsh: $Id: sh.proc.c,v 3.76 2002/03/08 17:36:46 christos Exp $ | | >Description: | The `kill' builtin in tcsh uses atoi(3) to parse numeric arguments | (pids or signals). As long as an argument begins with a digit, | it is treated as a valid number, even if it contains non-numeric | characters. This bug does not exist in /bin/kill or zsh. | >How-To-Repeat: | I found the bug when I accidently entered | # kill 1q5808 | as root and found my remote shell (and the entire system) died. | >Fix: | Index: sh.proc.c | =================================================================== | RCS file: /usr/ncvs/src/contrib/tcsh/sh.proc.c,v | retrieving revision 1.1.1.1.2.4 | diff -u -r1.1.1.1.2.4 sh.proc.c | --- sh.proc.c 10 Aug 2002 18:14:45 -0000 1.1.1.1.2.4 | +++ sh.proc.c 26 Dec 2002 04:25:36 -0000 | @@ -1536,6 +1536,7 @@ | register int signum, len = 0; | register char *name; | Char *sigptr; | + char *ep; | extern int T_Cols; | extern int nsig; | | @@ -1566,8 +1567,8 @@ | } | } | if (Isdigit(*sigptr)) { | - signum = atoi(short2str(sigptr)); | - if (signum < 0 || signum > (MAXSIG-1)) | + signum = strtol(short2str(sigptr), &ep, 10); | + if (signum < 0 || signum > (MAXSIG-1) || *ep) | stderror(ERR_NAME | ERR_BADSIG); | } | else { | @@ -1598,6 +1599,7 @@ | sigmask_t omask; | #endif /* BSDSIGS */ | Char *cp, **vp; | + char *ep; | | #ifdef BSDSIGS | omask = sigmask(SIGCHLD); | @@ -1678,11 +1680,16 @@ | stderror(ERR_NAME | ERR_JOBARGS); | else { | #ifndef WINNT_NATIVE | - pid = atoi(short2str(cp)); | + pid = strtol(short2str(cp), &ep, 10); | #else | - pid = strtoul(short2str(cp),NULL,0); | + pid = strtoul(short2str(cp),&ep,0); | #endif /* WINNT_NATIVE */ | - if (kill(pid, signum) < 0) { | + if (*ep) { | + xprintf("%S: Badly formed number\n", cp); | + err1++; | + goto cont; | + } | + else if (kill(pid, signum) < 0) { | xprintf("%d: %s\n", pid, strerror(errno)); | err1++; | goto cont; -- End of excerpt from Peter Jeremy >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: State-Changed-From-To: open->closed State-Changed-By: ceri State-Changed-When: Wed Jan 1 11:49:11 PST 2003 State-Changed-Why: Misfiled folowup to bin/46533 (content migrated). http://www.freebsd.org/cgi/query-pr.cgi?pr=46542 >Unformatted: