Re: Pointer bug in vms.c

Thu, 13 Feb 2003 16:21:21 -0800 

At 2:23 PM -0600 2/13/03, Patrick Spinler wrote:
>Craig A. Berry wrote:

>>  Do you have a simple case that
>>will exercise the bug?
>
>$ mcr authorize add /id /attrib=subsystem testing_subsys_id
>$ mcr grant/id testing_subsys_id testaccount
>$ set host 0
>login: testaccount
>...
>$ perl
>(failure here)

Very odd, but I can't reproduce it using that.  The $GETJPI docs to
the RIGHTSLIST item code say that KGB$M_SUBSYSTEM only applies to
VAX, but that can't be right, can it?  FWIW I've been using OpenVMS
Alpha 7.3-1 and a bleadperl from a few weeks ago.  In any case I can
exercise the bug by depositing a true value into will_taint in the
debugger.


Here's a patch that fixes the accvio and does successfully insert -T
into the argument vector.  There were several pointer-related nasties
in this little section of code, such as the fact that *argcp++
increments the pointer before dereferencing it instead of
dereferencing it before incrementing.

Patrick, if you have a chance to test this, I'd appreciate it.  I
have exercised the new code in the debugger and it looks like it's
doing the right thing, but this is pretty twisty stuff.

+++ vms/vms.c   Thu Feb 13 18:05:12 2003
@@ -4449,15 +4449,19 @@
    * hasn't been allocated when vms_image_init() is called.
    */
   if (will_taint) {
-    char ***newap;
-    New(1320,newap,*argcp+2,char **);
-    newap[0] = argvp[0];
-    *newap[1] = "-T";
-    Copy(argvp[1],newap[2],*argcp-1,char **);
+    char **newargv, **oldargv;
+    oldargv = *argvp;
+    New(1320,newargv,(*argcp)+2,char *);
+    newargv[0] = oldargv[0];
+    New(1320,newargv[1],3,char);
+    strcpy(newargv[1], "-T");
+    Copy(&oldargv[1],&newargv[2],(*argcp)-1,char **);
+    (*argcp)++;
+    newargv[*argcp] = NULL;
     /* We orphan the old argv, since we don't know where it's come from,
      * so we don't know how to free it.
      */
-    *argcp++; argvp = newap;
+    *argvp = newargv;
   }
   else {  /* Did user explicitly request tainting? */
     int i;
[end of patch]
-- 
________________________________________
Craig A. Berry
mailto:[EMAIL PROTECTED]

"... getting out of a sonnet is much more
 difficult than getting in."
                 Brad Leithauser

Reply via email to