Re-sending this fix for a use-after-free in the bash pattern substitution code
in ash, I’m not sure the mailing list software liked my original attachment.
Thanks, Karsten
diff --git a/shell/ash.c b/shell/ash.c
index 5f8c8ea19..38368f590 100644
--- a/shell/ash.c
+++ b/shell/ash.c
@@ -7374,6 +7374,8 @@ subevalvar(char *start, char *str, int strloc,
char *restart_detect = stackblock();
if (quotes && *loc == '\\') {
STPUTC(CTLESC, expdest);
+ if (stackblock() != restart_detect)
+ goto restart;
len++;
}
STPUTC(*loc, expdest);
> On 8/03/2023, at 4:23 PM, Karsten Sperling <[email protected]> wrote:
>
> Hi,
>
> This is a fix for a use-after-free issue in the bash pattern substitution
> code in ash (related to STPUTC potentially causing the buffer to be
> reallocated). Most of these were fixed in 1.36.0 however one unguarded STPUTC
> remained which is fixed in the attached patch.
>
> Thanks, Karsten
>
> <busybox-ash-another-uaf.patch>
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
