Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues )

From: Ali Saifullah Khan (saifullah@gamebox.net)
Date: 02/16/03

Next message: spacewalker: "Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues)"

Previous message: Roland Postle: "Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 16 Feb 2003 14:16:56 +0500
From: Ali Saifullah Khan <saifullah@gamebox.net>
To: vuln-dev@securityfocus.com

file : bash-VERSION/lib/glob/glob.c
char ** glob_filename(pathname)
char * pathname;
{
.
.
        {
                directory_len = (filename - pathname) + 1;
                directory_name = (char *) alloca (directory_len + 1);

                bcopy (pathname, directory_name, directory_len);
                directory_name[directory_len] = '\0';
                ++filename;
        }
.
.
As Vladimir pointed out, instead of copying a large source string of length
'directory_len' why not simply copy strlen(pathname) bytes to directory_name.
Would this produce a fix ?....I'm not an expert when it comes to C, but so far this is what i conclude.

Regards.

application/pgp-signature attachment: stored

Next message: spacewalker: "Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues)"
Previous message: Roland Postle: "Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Sub strings
... source string over the start of the string you just located. ... all is well if refStringToLocate is "come" but all is NOT well ... both sources and destinations; that's the overlap. ... nor in units of one char at a time. ...
(comp.lang.c)
Re: File Access
... Read everything from the input file, ... > to the output file. ... until I find 'm' and I start copying them again. ... What are they ways of getting a char or a few chars? ...
(comp.lang.cpp)
Re: FASTER string copy ????
... string buffer. ... typedef struct _sourceString ... char secondSourceString; ... if copying short strings is a performance ...
(comp.lang.c)
[CHECKER] writes not always synchronous on JFS with O_SYNC?
... typedef unsigned int signature_t; ... int test_write(const char *pathname, unsigned i) ... To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ ...
(Linux-Kernel)
Re: what s wrong with this code?
... Basename(char *pathname) { ... your function mis-handles handle the ... these versions return (char*) cast to, ... the case with the standard basenametoo, ...
(comp.lang.c)