1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
bash: Fix for CVE-2014-7186 and CVE-2014-7187
Upstream-Status: Backport {GNU Patch-ID: bash32-055}
Downloaded from: http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-055
Author: Chet Ramey <chet.ramey@case.edu>
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
BASH PATCH REPORT
=================
Bash-Release: 3.2
Patch-ID: bash32-055
Bug-Reported-by: Florian Weimer <fweimer@redhat.com>
Bug-Reference-ID:
Bug-Reference-URL:
Bug-Description:
There are two local buffer overflows in parse.y that can cause the shell
to dump core when given many here-documents attached to a single command
or many nested loops.
---
--- a/parse.y 2014-09-27 12:17:16.000000000 -0400
+++ b/parse.y 2014-09-30 19:43:22.000000000 -0400
@@ -166,4 +166,7 @@
static int reserved_word_acceptable __P((int));
static int yylex __P((void));
+
+static void push_heredoc __P((REDIRECT *));
+static char *mk_alexpansion __P((char *));
static int alias_expand_token __P((char *));
static int time_command_acceptable __P((void));
@@ -254,5 +257,7 @@
/* Variables to manage the task of reading here documents, because we need to
defer the reading until after a complete command has been collected. */
-static REDIRECT *redir_stack[10];
+#define HEREDOC_MAX 16
+
+static REDIRECT *redir_stack[HEREDOC_MAX];
int need_here_doc;
@@ -280,5 +285,5 @@
index is decremented after a case, select, or for command is parsed. */
#define MAX_CASE_NEST 128
-static int word_lineno[MAX_CASE_NEST];
+static int word_lineno[MAX_CASE_NEST+1];
static int word_top = -1;
@@ -425,5 +430,5 @@
redir.filename = $2;
$$ = make_redirection (0, r_reading_until, redir);
- redir_stack[need_here_doc++] = $$;
+ push_heredoc ($$);
}
| NUMBER LESS_LESS WORD
@@ -431,5 +436,5 @@
redir.filename = $3;
$$ = make_redirection ($1, r_reading_until, redir);
- redir_stack[need_here_doc++] = $$;
+ push_heredoc ($$);
}
| LESS_LESS_LESS WORD
@@ -488,5 +493,5 @@
$$ = make_redirection
(0, r_deblank_reading_until, redir);
- redir_stack[need_here_doc++] = $$;
+ push_heredoc ($$);
}
| NUMBER LESS_LESS_MINUS WORD
@@ -495,5 +500,5 @@
$$ = make_redirection
($1, r_deblank_reading_until, redir);
- redir_stack[need_here_doc++] = $$;
+ push_heredoc ($$);
}
| GREATER_AND '-'
@@ -2214,4 +2219,19 @@
static int esacs_needed_count;
+static void
+push_heredoc (r)
+ REDIRECT *r;
+{
+ if (need_here_doc >= HEREDOC_MAX)
+ {
+ last_command_exit_value = EX_BADUSAGE;
+ need_here_doc = 0;
+ report_syntax_error (_("maximum here-document count exceeded"));
+ reset_parser ();
+ exit_shell (last_command_exit_value);
+ }
+ redir_stack[need_here_doc++] = r;
+}
+
void
gather_here_documents ()
|
