diff options
author | Denys Vlasenko | 2016-09-25 21:24:04 +0200 |
---|---|---|
committer | Denys Vlasenko | 2016-09-25 21:24:04 +0200 |
commit | 557482c1cbeacaeb24247738b09983a0736d407a (patch) | |
tree | eee94ae5b14767cd4bdb85b92512dbdc9d5b4fcc | |
parent | 13f20919b2477230063bb940396bef51b463d6df (diff) | |
download | busybox-557482c1cbeacaeb24247738b09983a0736d407a.zip busybox-557482c1cbeacaeb24247738b09983a0736d407a.tar.gz |
ash: in heredoc code, fix access past the end of allocated memory. Closes 9276
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-rw-r--r-- | shell/ash.c | 32 |
1 files changed, 18 insertions, 14 deletions
diff --git a/shell/ash.c b/shell/ash.c index 578b3dc..a113ff1 100644 --- a/shell/ash.c +++ b/shell/ash.c @@ -5112,8 +5112,26 @@ openredirect(union node *redir) char *fname; int f; + switch (redir->nfile.type) { +/* Can't happen, our single caller does this itself */ +// case NTOFD: +// case NFROMFD: +// return -1; + case NHERE: + case NXHERE: + return openhere(redir); + } + + /* For N[X]HERE, reading redir->nfile.expfname would touch beyond + * allocated space. Do it only when we know it is safe. + */ fname = redir->nfile.expfname; + switch (redir->nfile.type) { + default: +#if DEBUG + abort(); +#endif case NFROM: f = open(fname, O_RDONLY); if (f < 0) @@ -5146,20 +5164,6 @@ openredirect(union node *redir) if (f < 0) goto ecreate; break; - default: -#if DEBUG - abort(); -#endif - /* Fall through to eliminate warning. */ -/* Our single caller does this itself */ -// case NTOFD: -// case NFROMFD: -// f = -1; -// break; - case NHERE: - case NXHERE: - f = openhere(redir); - break; } return f; |