summaryrefslogtreecommitdiff
path: root/shell
diff options
context:
space:
mode:
authorDenys Vlasenko2016-09-28 23:02:57 +0200
committerDenys Vlasenko2016-09-28 23:02:57 +0200
commit8e2bc47d62d48687f681855d4b086c758ae745c4 (patch)
tree5666b8f66ea374d7a7716df9eda2f184f0749914 /shell
parent7ee7c6fc20d3b94c257f829dece097ff339895ee (diff)
downloadbusybox-8e2bc47d62d48687f681855d4b086c758ae745c4.zip
busybox-8e2bc47d62d48687f681855d4b086c758ae745c4.tar.gz
ash: [EVAL] Fix use-after-free in dotrap/evalstring
From upstream: [EVAL] Fix use-after-free in dotrap/evalstring The function dotrap calls evalstring using the stored trap string. If evalstring then unsets that exact trap string then we will end up using freed memory. This patch fixes it by making evalstring always duplicate the string before using it. Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Diffstat (limited to 'shell')
-rw-r--r--shell/ash.c10
1 files changed, 7 insertions, 3 deletions
diff --git a/shell/ash.c b/shell/ash.c
index f395a16..7a7ea18 100644
--- a/shell/ash.c
+++ b/shell/ash.c
@@ -1459,7 +1459,7 @@ stunalloc(void *p)
* Like strdup but works with the ash stack.
*/
static char *
-ststrdup(const char *p)
+sstrdup(const char *p)
{
size_t len = strlen(p) + 1;
return memcpy(stalloc(len), p, len);
@@ -2514,7 +2514,7 @@ updatepwd(const char *dir)
char *cdcomppath;
const char *lim;
- cdcomppath = ststrdup(dir);
+ cdcomppath = sstrdup(dir);
STARTSTACKSTR(new);
if (*dir != '/') {
if (curdir == nullstr)
@@ -6993,7 +6993,7 @@ addfname(const char *name)
struct strlist *sp;
sp = stzalloc(sizeof(*sp));
- sp->text = ststrdup(name);
+ sp->text = sstrdup(name);
*exparg.lastp = sp;
exparg.lastp = &sp->next;
}
@@ -12221,10 +12221,12 @@ evalstring(char *s, int mask)
int skip;
// int status;
+ s = sstrdup(s);
setinputstring(s);
setstackmark(&smark);
skip = 0;
+// status = 0;
while ((n = parsecmd(0)) != NODE_EOF) {
int i;
@@ -12236,7 +12238,9 @@ evalstring(char *s, int mask)
if (skip)
break;
}
+ popstackmark(&smark);
popfile();
+ stunalloc(s);
skip &= mask;
evalskip = skip;