aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHerbert Xu <herbert@gondor.apana.org.au>2014-10-02 08:26:06 +0800
committerBen Hutchings <ben@decadent.org.uk>2020-03-28 21:42:54 +0000
commit097a6e92dd6aea6d1e1e872c3aa02d677a004a88 (patch)
tree3b7b3345d3006e00c7c124062c754cf667dac72c
parent25465e7d5b75f8d62d668c2e45be202111d5f027 (diff)
downloadklibc-097a6e92dd6aea6d1e1e872c3aa02d677a004a88.tar.gz
[klibc] dash: [EVAL] Fix use-after-free in dotrap/evalstring
[ dash commit 6c3f73bc536082fec38bd36e6c8a121033c68835 ] The function dotrap calls evalstring using the stored trap string. If evalstring then unsets that exact trap string then we will end up using freed memory. This patch fixes it by making evalstring always duplicate the string before using it. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat
-rw-r--r--usr/dash/eval.c3
-rw-r--r--usr/dash/histedit.c3
2 files changed, 4 insertions, 2 deletions
diff --git a/usr/dash/eval.c b/usr/dash/eval.c
index e6f6cd5c28508..adf05fdec231c 100644
--- a/usr/dash/eval.c
+++ b/usr/dash/eval.c
@@ -160,6 +160,7 @@ evalstring(char *s, int flags)
struct stackmark smark;
int status;
+ s = sstrdup(s);
setinputstring(s);
setstackmark(&smark);
@@ -171,7 +172,9 @@ evalstring(char *s, int flags)
if (evalskip)
break;
}
+ popstackmark(&smark);
popfile();
+ stunalloc(s);
return status;
}
diff --git a/usr/dash/histedit.c b/usr/dash/histedit.c
index b27d6294ce08e..94465d785cc9e 100644
--- a/usr/dash/histedit.c
+++ b/usr/dash/histedit.c
@@ -372,8 +372,7 @@ histcmd(int argc, char **argv)
out2str(s);
}
- evalstring(strcpy(stalloc(strlen(s) + 1), s),
- 0);
+ evalstring(s, 0);
if (displayhist && hist) {
/*
* XXX what about recursive and
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-18 16:17:20 +0000