summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDenys Vlasenko2016-09-25 21:24:04 +0200
committerDenys Vlasenko2016-09-25 21:24:04 +0200
commit557482c1cbeacaeb24247738b09983a0736d407a (patch)
treeeee94ae5b14767cd4bdb85b92512dbdc9d5b4fcc
parent13f20919b2477230063bb940396bef51b463d6df (diff)
downloadbusybox-557482c1cbeacaeb24247738b09983a0736d407a.zip
busybox-557482c1cbeacaeb24247738b09983a0736d407a.tar.gz
ash: in heredoc code, fix access past the end of allocated memory. Closes 9276
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-rw-r--r--shell/ash.c32
1 files changed, 18 insertions, 14 deletions
diff --git a/shell/ash.c b/shell/ash.c
index 578b3dc..a113ff1 100644
--- a/shell/ash.c
+++ b/shell/ash.c
@@ -5112,8 +5112,26 @@ openredirect(union node *redir)
char *fname;
int f;
+ switch (redir->nfile.type) {
+/* Can't happen, our single caller does this itself */
+// case NTOFD:
+// case NFROMFD:
+// return -1;
+ case NHERE:
+ case NXHERE:
+ return openhere(redir);
+ }
+
+ /* For N[X]HERE, reading redir->nfile.expfname would touch beyond
+ * allocated space. Do it only when we know it is safe.
+ */
fname = redir->nfile.expfname;
+
switch (redir->nfile.type) {
+ default:
+#if DEBUG
+ abort();
+#endif
case NFROM:
f = open(fname, O_RDONLY);
if (f < 0)
@@ -5146,20 +5164,6 @@ openredirect(union node *redir)
if (f < 0)
goto ecreate;
break;
- default:
-#if DEBUG
- abort();
-#endif
- /* Fall through to eliminate warning. */
-/* Our single caller does this itself */
-// case NTOFD:
-// case NFROMFD:
-// f = -1;
-// break;
- case NHERE:
- case NXHERE:
- f = openhere(redir);
- break;
}
return f;