Hello,
while debugging a segfault in sfswap I noticed the following in the
io.c:sh_iorestore() function:
1662 ⋅ ⋅ if ((savefd = filemap[fd].save_fd) >= 0)
1663 ⋅ ⋅ {
1664 ⋅ ⋅ ⋅ sh_fcntl(savefd, F_DUPFD, origfd);
1665 ⋅ ⋅ ⋅ if(savefd==job.fd)
1666 ⋅ ⋅ ⋅ ⋅ job.fd=origfd;
1667 ⋅ ⋅ ⋅ shp->fdstatus[origfd] = shp->fdstatus[savefd];
1668 ⋅ ⋅ ⋅ /* turn off close-on-exec if flag if necessary */
1669 ⋅ ⋅ ⋅ if(shp->fdstatus[origfd]&IOCLEX)
1670 ⋅ ⋅ ⋅ ⋅ fcntl(origfd,F_SETFD,FD_CLOEXEC);
1671 ⋅ ⋅ ⋅ if(origfd<=2)
1672 ⋅ ⋅ ⋅ {
1673 ⋅ ⋅ ⋅ ⋅ sfswap(shp->sftable[savefd],shp->sftable[origfd]);
1674 ⋅ ⋅ ⋅ ⋅ if(origfd==0)
1675 ⋅ ⋅ ⋅ ⋅ ⋅ shp->st.ioset = 0;
1676 ⋅ ⋅ ⋅ }
1677 ⋅ ⋅ ⋅ else
1678 ⋅ ⋅ ⋅ ⋅ shp->sftable[origfd] = shp->sftable[savefd];
1679 ⋅ ⋅ ⋅ shp->sftable[savefd] = 0;
1680 ⋅ ⋅ ⋅ sh_close(savefd);
1681 ⋅ ⋅ }
The segfault in my case came from the problem when origfd value has been set
to -1 (F_DUPFD failed) and then accessing shp->sftable[origfd] lead to
crash. I believe the root cause for the problem I'm investigating is
somewhere else but not checking the origfd value after the sh_fcntl call on
line 1664 and missing error handling doesn't seem to be correct to me (the
fcntl call simply can fail and we should count with that).
Am I right?
Thank you and regards,
--
Tomáš Smetana
_______________________________________________
ast-developers mailing list
[email protected]
https://mailman.research.att.com/mailman/listinfo/ast-developers
