[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: [PATCH] ash: don't read past end of var in subvareval for bash substitutions
From: soeren () soeren-tempel ! net
Date: 2022-02-28 7:36:50
Message-ID: 20220228073649.16485-1-soeren () soeren-tempel ! net
[Download RAW message or body]
From: Sören Tempel <soeren@soeren-tempel.net>
Without this patch, BusyBox handles bash pattern substitutions without
a terminating '/' character incorrectly.
Consider the following shell script:
_bootstrapver=5.0.211-r0
_referencesdir="/usr/${_bootstrapver/-*}/Sources"
echo $_referencesdir
This should output `/usr/5.0.211/Sources`. However, without this patch
it instead outputs `/usr/5.0.211Sources`. This is due to the fact that
BusyBox expects the bash pattern substitutions to always be terminated
with a '/' (at least in this part of subvareval) and thus reads passed
the substitution itself and consumes the '/' character which is part of
the literal string. If there is no '/' after the substitution then
BusyBox might perform an out-of-bounds read under certain circumstances.
When replacing the bash pattern substitution with `${_bootstrapver/-*/}`,
or with this patch applied, ash outputs the correct value.
Signed-off-by: Sören Tempel <soeren@soeren-tempel.net>
---
shell/ash.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shell/ash.c b/shell/ash.c
index adb0f223a..8097d51c3 100644
--- a/shell/ash.c
+++ b/shell/ash.c
@@ -7077,7 +7077,7 @@ subevalvar(char *start, char *str, int strloc,
repl = NULL;
break;
}
- if (*repl == '/') {
+ if (*repl == '/' || (unsigned char)*repl == CTLENDVAR) {
*repl = '\0';
break;
}
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic