potential bug in ash
Nguyen Thai Ngoc Duy
pclouds at gmail.com
Sat Jul 28 14:55:40 PDT 2007
Hi
Here is an excerpt from ash.c:
if (pathopt) { /* this is a %func directory */
stalloc(strlen(fullname) + 1);
readcmdfile(fullname);
cmdp = cmdlookup(name, 0);
if (cmdp == NULL || cmdp->cmdtype != CMDFUNCTION)
ash_msg_and_raise_error("%s not defined in %s", name, fullname);
stunalloc(fullname);
goto success;
}
gmail may corrupt the code but you can find the code in function find_command().
fullname is not updated after stalloc(). It is perfectly fine now
because there isn't any stalloc inside the while loop. But if in
future you decide to allocate some blocks before that excerpt, the
return value from stalloc(strlen(fullname) + 1) may no longer be
fullname and then stunalloc(fullname) will blindly screw up the stack.
I encountered this problem when trying to (don't blame me) port ash to
Windows. So the suggestion is replace stalloc() line with:
fullname = stalloc(strlen(fullname) + 1);
The safer the better.
--
Duy
More information about the busybox
mailing list