diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2014-10-02 08:26:06 +0800 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2020-03-28 21:42:54 +0000 |
commit | 097a6e92dd6aea6d1e1e872c3aa02d677a004a88 (patch) | |
tree | 3b7b3345d3006e00c7c124062c754cf667dac72c | |
parent | 25465e7d5b75f8d62d668c2e45be202111d5f027 (diff) | |
download | klibc-097a6e92dd6aea6d1e1e872c3aa02d677a004a88.tar.gz |
[klibc] dash: [EVAL] Fix use-after-free in dotrap/evalstring
[ dash commit 6c3f73bc536082fec38bd36e6c8a121033c68835 ]
The function dotrap calls evalstring using the stored trap string.
If evalstring then unsets that exact trap string then we will end
up using freed memory.
This patch fixes it by making evalstring always duplicate the string
before using it.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
-rw-r--r-- | usr/dash/eval.c | 3 | ||||
-rw-r--r-- | usr/dash/histedit.c | 3 |
2 files changed, 4 insertions, 2 deletions
diff --git a/usr/dash/eval.c b/usr/dash/eval.c index e6f6cd5c28508..adf05fdec231c 100644 --- a/usr/dash/eval.c +++ b/usr/dash/eval.c @@ -160,6 +160,7 @@ evalstring(char *s, int flags) struct stackmark smark; int status; + s = sstrdup(s); setinputstring(s); setstackmark(&smark); @@ -171,7 +172,9 @@ evalstring(char *s, int flags) if (evalskip) break; } + popstackmark(&smark); popfile(); + stunalloc(s); return status; } diff --git a/usr/dash/histedit.c b/usr/dash/histedit.c index b27d6294ce08e..94465d785cc9e 100644 --- a/usr/dash/histedit.c +++ b/usr/dash/histedit.c @@ -372,8 +372,7 @@ histcmd(int argc, char **argv) out2str(s); } - evalstring(strcpy(stalloc(strlen(s) + 1), s), - 0); + evalstring(s, 0); if (displayhist && hist) { /* * XXX what about recursive and |