Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: Buffer overflow with long fd numbers in redirects



On 6 October 2014 16:24, Axel Beckert <abe@xxxxxxxxxxxxxxx> wrote:
> Hi,
>
> On Mon, Oct 06, 2014 at 04:00:44PM +0200, Mikael Magnusson wrote:
>> Someone reported this on IRC the other day,
>> % >&333333333333333333333
>> zsh: number truncated after 20 digits: 333333333333333333333
>> *** buffer overflow detected ***: zsh terminated
>>
>> At least one place where this is mishandled is in exec.c around line 3215,
>
> I can reproduce this in 5.0.6.
>
> But I can't reproduce this in 4.3.17 as in Debian Wheezy. There it
> looks exactly like this:
>
>> Output with the patch,
>> % >&333333333333333333333
>> zsh: number truncated after 20 digits: 333333333333333333333
>> zsh: 553997653: bad file descriptor
>
> !518 Z7 ?0 L2 abe@snidget:~ (pts/40 zsh 4.3.17 wheezy) 16:22:44
> ~ → echo $ZSH_VERSION
> 4.3.17
> !518 Z7 ?0 L2 abe@snidget:~ (pts/40 zsh 4.3.17 wheezy) 16:22:44
> ~ → >&333333333333333333333
> zsh: number truncated after 20 digits: 333333333333333333333
> zsh: 553997653: bad file descriptor
> !519 Z8 ?1 L2 abe@snidget:~ (pts/40 zsh 4.3.17 wheezy) 16:22:50
> ~ →

You'll only see this error if zsh was compiled with buffer overflow
checking enabled (or against a glibc that has it enabled, not 100%
sure on the implementation details), probably it wasn't for the older
package. Overflowing the buffer doesn't write on any unallocated
memory so it won't segfault (fdstr is the last variable on the stack).

-- 
Mikael Magnusson



Messages sorted by: Reverse Date, Date, Thread, Author