Re: segfault with invalid shell script

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 21/11/2022 13:08, Harald van Dijk wrote:
On 21/11/2022 02:38, Christoph Anton Mitterer wrote:
reject_filtered_cmd()
{
     reject_and_die "disallowed command${restrict_path_list:+ (restrict-path: \"${restrict_path_list//|/\", \"}\")}"
}

reject_filtered_cmd
[...]
This should either result in the ${...//...} being skipped, or the "Bad substitution" error. Currently, what happens instead is it attempts, but fails, to skip the ${...//...}.

The reason it fails is because the word is cut off.

Variable substitutions are encoded as a CTLVAR special character, followed by a byte indicating the type of substitution, followed by the rest of the substitution data. The type of substitution is the VSNORMAL, VSMINUS, etc. seen in parser.h. An invalid substitution is encoded as a value of 0.

When we define a function, we clone the function body in order to preserve it. Cloning the function body is done by cloning each node. Cloning a "word" node (NARG) involves copying the characters that make up the word up to and including the terminating null byte.

These two interact badly. The invalid substitution is seen as terminating the word, the rest of the word is not copied, but the expansion code does not have any way of seeing that anything got cut off and happily continues attempting to process the rest of the word.

If dash decides to issue an error in this case, this is not a problem: the null byte is guaranteed to be copied, and if processing is guaranteed to stop if a null byte is encountered, everything works out.

If dash decides to not issue an error in this case, the encoding of bad substitutions needs to change to a non-null byte. It appears that if we set the byte to VSNUL, the expansion logic is already able to handle it, but I have not tested this extensively.

Cheers,
Harald van Dijk



[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux