From christos@zoulas.com  Thu Dec 26 03:48:53 2002
Return-Path: <christos@zoulas.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id ECA2237B401
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 26 Dec 2002 03:48:53 -0800 (PST)
Received: from beowulf.gw.com (beowulf.gw.com [204.80.150.34])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C851043E4A
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 26 Dec 2002 03:48:52 -0800 (PST)
	(envelope-from christos@zoulas.com)
Received: by beowulf.gw.com (Postfix, from userid 10080)
	id DCB2C7E4C; Thu, 26 Dec 2002 06:48:51 -0500 (EST)
Message-Id: <20021226114851.DCB2C7E4C@beowulf.gw.com>
Date: Thu, 26 Dec 2002 06:48:51 -0500
From: christos@zoulas.com (Christos Zoulas)
To: Peter Jeremy <peterjeremy@optushome.com.au>,
	FreeBSD-gnats-submit@freebsd.org
In-Reply-To: <200212260440.gBQ4eKUa064588@server.c18609.belrs1.nsw.optusnet.com.au>
       from Peter Jeremy (Dec 26,  3:40pm)
Subject: Re: Inadequate validity checking on args to tcsh builtin 'kill'

>Number:         46542
>Category:       bin
>Synopsis:       Re: Inadequate validity checking on args to tcsh builtin 'kill'
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gnats-admin
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 26 03:50:01 PST 2002
>Closed-Date:    Wed Jan 01 11:49:37 PST 2003
>Last-Modified:  Thu Oct 07 18:00:56 GMT 2004
>Originator:     
>Release:        
>Organization:
>Environment:
>Description:
 On Dec 26,  3:40pm, peterjeremy@optushome.com.au (Peter Jeremy) wrote:
 -- Subject: Inadequate validity checking on args to tcsh builtin 'kill'
 
 Thanks, I'll put it in.
 
 christos
 
 | 
 | >Submitter-Id:	current-users
 | >Originator:	Peter Jeremy
 | >Organization:	n/a
 | >Confidential:	no 
 | >Synopsis:	Inadequate validity checking on args to tcsh builtin 'kill'
 | >Severity:	serious
 | >Priority:	low
 | >Category:	bin
 | >Class:		sw-bug
 | >Release:	FreeBSD 4.7-PRERELEASE i386
 | >Environment:
 | System: FreeBSD server.c18609.belrs1.nsw.optusnet.com.au 4.7-PRERELEASE FreeBSD 4.7-PRERELEASE #4: Sat Sep 14 15:07:16 EST 2002 root@server.c18609.belrs1.nsw.optusnet.com.au:/usr/obj/usr/src/sys/server i386
 | 
 | tcsh: $Id: sh.proc.c,v 3.76 2002/03/08 17:36:46 christos Exp $
 | 
 | >Description:
 | 	The `kill' builtin in tcsh uses atoi(3) to parse numeric arguments
 | 	(pids or signals).  As long as an argument begins with a digit,
 | 	it is treated as a valid number, even if it contains non-numeric
 | 	characters.  This bug does not exist in /bin/kill or zsh.
 | >How-To-Repeat:
 | 	I found the bug when I accidently entered
 | 	# kill 1q5808
 | 	as root and found my remote shell (and the entire system) died.
 | >Fix:
 | Index: sh.proc.c
 | ===================================================================
 | RCS file: /usr/ncvs/src/contrib/tcsh/sh.proc.c,v
 | retrieving revision 1.1.1.1.2.4
 | diff -u -r1.1.1.1.2.4 sh.proc.c
 | --- sh.proc.c	10 Aug 2002 18:14:45 -0000	1.1.1.1.2.4
 | +++ sh.proc.c	26 Dec 2002 04:25:36 -0000
 | @@ -1536,6 +1536,7 @@
 |      register int signum, len = 0;
 |      register char *name;
 |      Char *sigptr;
 | +    char *ep;
 |      extern int T_Cols;
 |      extern int nsig;
 |  
 | @@ -1566,8 +1567,8 @@
 |   	    }
 |   	}
 |   	if (Isdigit(*sigptr)) {
 | - 	    signum = atoi(short2str(sigptr));
 | -	    if (signum < 0 || signum > (MAXSIG-1))
 | + 	    signum = strtol(short2str(sigptr), &ep, 10);
 | +	    if (signum < 0 || signum > (MAXSIG-1) || *ep)
 |  		stderror(ERR_NAME | ERR_BADSIG);
 |  	}
 |  	else {
 | @@ -1598,6 +1599,7 @@
 |      sigmask_t omask;
 |  #endif /* BSDSIGS */
 |      Char   *cp, **vp;
 | +    char   *ep;
 |  
 |  #ifdef BSDSIGS
 |      omask = sigmask(SIGCHLD);
 | @@ -1678,11 +1680,16 @@
 |  	    stderror(ERR_NAME | ERR_JOBARGS);
 |  	else {
 |  #ifndef WINNT_NATIVE
 | -	    pid = atoi(short2str(cp));
 | +	    pid = strtol(short2str(cp), &ep, 10);
 |  #else
 | -		pid = strtoul(short2str(cp),NULL,0);
 | +		pid = strtoul(short2str(cp),&ep,0);
 |  #endif /* WINNT_NATIVE */
 | -	    if (kill(pid, signum) < 0) {
 | +	    if (*ep) {
 | +		xprintf("%S: Badly formed number\n", cp);
 | +		err1++;
 | +		goto cont;
 | +	    }
 | +	    else if (kill(pid, signum) < 0) {
 |  		xprintf("%d: %s\n", pid, strerror(errno));
 |  		err1++;
 |  		goto cont;
 -- End of excerpt from Peter Jeremy
 
 
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: ceri 
State-Changed-When: Wed Jan 1 11:49:11 PST 2003 
State-Changed-Why:  
Misfiled folowup to bin/46533 (content migrated). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=46542 
>Unformatted:
