bug in CSH (history)
Glenn Huxtable
glenn at wacsvax.OZ
Thu Oct 25 12:30:25 AEST 1984
A fix was reported for a bug in scanning 'history' command arguments
of CSH. I installed this fix, to find another bug. The fix was given as ...
>2) The validity of the flags is not checked and since the argument
> pointer is only incremented when a valid flag is found, using a
> wrong flag throws the Cshell in a loop.
>2) in sh.hist.c, change the following lines in dohist():
> vp++;
> while (*vp && *vp[0] == '-') {
> if (*vp && eq(*vp, "-h")) {
> hflg++;
> vp++;
> }
> if (*vp && eq(*vp, "-r")) {
> rflg++;
> vp++;
> }
> }
>to:
> while (*++vp && **vp == '-') {
> while(*++*vp)
> switch(**vp) {
> case 'h':
> hflg++; break;
> case 'r':
> rflg++; break;
> case '-': /* ignore multiple '-'s */
> break;
> default:
> printf("Unknown flag: -%c\n", **vp);
> error("Usage: history [-rh] [# of events]");
> }
> }
The fix introduced another bug, as the line 'while(*++*vp)' modifies the
argument pointer in scanning through the argument. Later CSH tries to use this
pointer (which now points to the end of the argument) to free the memory
used to store the command. Free (malloc) gets an mfree botch and CSH dies.
The solution is to use a local pointer 'vp2' say the fix becomes ...
=> char *vp2;
...
while (*++vp && **vp == '-') {
=> vp2 = *vp;
=> while(*++vp2)
=> switch(*vp2) {
case 'h':
hflg++; break;
case 'r':
rflg++; break;
case '-': /* ignore multiple '-'s */
break;
default:
=> printf("Unknown flag: -%c\n", *vp2);
error("Usage: history [-rh] [# of events]");
}
}
-----------------------------------------------------
Glenn Huxtable Department of Computer Science
University of Western Australia
USENET: ...decvax!mulga!wacsvax!glenn
OZNET: glenn:wacsvax
More information about the Comp.bugs.4bsd.ucb-fixes
mailing list