From howcanthisbe300@hotmail.com  Sat Feb 15 13:23:48 2003
Return-Path: <howcanthisbe300@hotmail.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E998D37B401
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 15 Feb 2003 13:23:48 -0800 (PST)
Received: from hotmail.com (f114.pav2.hotmail.com [64.4.37.114])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8B7F443FAF
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 15 Feb 2003 13:23:48 -0800 (PST)
	(envelope-from howcanthisbe300@hotmail.com)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
	 Sat, 15 Feb 2003 13:23:48 -0800
Received: from 217.229.64.209 by pv2fd.pav2.hotmail.msn.com with HTTP;
	Sat, 15 Feb 2003 21:23:48 GMT
Message-Id: <F114T5jR7oZvo0GRF4j00035ddb@hotmail.com>
Date: Sat, 15 Feb 2003 21:23:48 +0000
From: "How Can ThisBe" <howcanthisbe300@hotmail.com>
To: FreeBSD-gnats-submit@freebsd.org
Subject: Segmentation fault in sh with attached script

>Number:         48318
>Category:       bin
>Synopsis:       Segmentation fault in sh with attached script
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    stefanf
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Feb 15 13:30:06 PST 2003
>Closed-Date:    Sun May 16 10:07:18 UTC 2010
>Last-Modified:  Sun May 16 10:07:18 UTC 2010
>Originator:     tigger
>Release:        FreeBSD 5.0-RELEASE-p1 i386
>Organization:
Confidential:  no Synopsis:      Segmentation fault in sh 
>Environment:
System: FreeBSD piglet.l--v--l.net 5.0-RELEASE-p1 FreeBSD 5.0-RELEASE-p1 #0:
Tue Feb 4 23:45:23 CET 2003 
tigger@piglet.l--v--l.net:/usr/obj/usr/src/sys/PIGLET i386

>Description:
I was working a simple sh script when I was suprised that I was able to
produce a Segmentation fault (core dumped) crash of /bin/sh

>How-To-Repeat:
The following script will repeat the crash on my system every time with
the following command line

sh $0 -Drv
-- start script --
#!/bin/sh
while getopts ":Ddhrv:" COMMAND_LINE_ARGUMENT
do
        case "${COMMAND_LINE_ARGUMENT}" in
                D)
                        d="YES"
                        f="NO" ;;
                d)
                        shift 1
                        d="YES" ;;
                h)
                        shift 1
                        h="YES" ;;
                r)
                        shift 1
                        r="YES" ;;
                v)
                        shift 1
                        v="v" ;;
        esac
done
exit 0
-- end script --

Commenting out the 'shift 1' on the -r will prevent the crash - strange.
There is a good chance that my syntax is wrong, but I'm teaching my self
:]

>Fix:

Comment out the 'shift 1' on the -r section, not sure why that prevents
the crash


_________________________________________________________________
Hotmail now available on Australian mobile phones. Go to  
http://ninemsn.com.au/mobilecentral/hotmail_mobile.asp

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->analyzed 
State-Changed-By: mtm 
State-Changed-When: Sat Feb 15 16:42:07 PST 2003 
State-Changed-Why:  
It looks like sh(1) fails to handle the corner-case where the 
the last argument to the script is supposed to take an argument, but 
none is specified. 


Responsible-Changed-From-To: freebsd-bugs->mtm 
Responsible-Changed-By: mtm 
Responsible-Changed-When: Sat Feb 15 16:42:07 PST 2003 
Responsible-Changed-Why:  
I'll take this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=48318 
State-Changed-From-To: analyzed->feedback 
State-Changed-By: mtm 
State-Changed-When: Sat Feb 15 17:03:21 PST 2003 
State-Changed-Why:  
Patch submitted to the originator for evaluation. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=48318 

From: Mike Makonnen <mtm@identd.net>
To: "How Can ThisBe" <howcanthisbe300@hotmail.com>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/48318: Segmentation fault in sh with attached script
Date: Sat, 15 Feb 2003 20:02:45 -0500

 First,
 Your script is flawed. If you include a ':' after a letter in the option string
 that means you expect an argument to come after it:
 sh <script> -Drv some_arg
 
 None the less, sh(1) should fail gracefully in this particular case.
 Can you try the following patch, please?
 
 Cheers.
 -- 
 Mike Makonnen  | GPG-KEY: http://www.identd.net/~mtm/mtm.asc
 mtm@identd.net | Fingerprint: D228 1A6F C64E 120A A1C9  A3AA DAE1 E2AF DBCC 68B9
 
 Index: bin/sh/options.c
 ===================================================================
 RCS file: /home/ncvs/src/bin/sh/options.c,v
 retrieving revision 1.20
 diff -u -r1.20 options.c
 --- bin/sh/options.c	30 Jun 2002 05:15:04 -0000	1.20
 +++ bin/sh/options.c	16 Feb 2003 01:01:42 -0000
 @@ -453,6 +453,8 @@
  	}
  
  	if (*++q == ':') {
 +		if (*optnext == NULL)
 +			error("Expecting an argument to '%c'", c);
  		if (*p == '\0' && (p = **optnext) == NULL) {
  			if (optstr[0] == ':') {
  				s[0] = c;

From: "How Can ThisBe" <howcanthisbe300@hotmail.com>
To: mtm@identd.net
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/48318: Segmentation fault in sh with attached script
Date: Sun, 16 Feb 2003 10:50:51 +0000

 I assumed I had the wrong syntax and as you stated, sh should have failed 
 gracefully.
 
 The patch works without a problem. Thanks for the quick fix!
 
 
 >From: Mike Makonnen <mtm@identd.net>
 >Subject: Re: bin/48318: Segmentation fault in sh with attached script
 >Date: Sat, 15 Feb 2003 20:02:45 -0500
 >
 >First,
 >Your script is flawed. If you include a ':' after a letter in the option 
 >string
 >that means you expect an argument to come after it:
 >sh <script> -Drv some_arg
 >
 >None the less, sh(1) should fail gracefully in this particular case.
 >Can you try the following patch, please?
 >
 
 _________________________________________________________________
 Hotmail now available on Australian mobile phones. Go to  
 http://ninemsn.com.au/mobilecentral/hotmail_mobile.asp
 

From: Mike Makonnen <mtm@identd.net>
To: "How Can ThisBe" <howcanthisbe300@hotmail.com>
Cc: bug-followup@freebsd.org
Subject: Re: bin/48318: Segmentation fault in sh with attached script
Date: Sun, 16 Feb 2003 12:38:47 -0500

 This patch is not optimum. It breaks some other things. 
 I'll work on it some more.
 
 Cheers.
 -- 
 Mike Makonnen  | GPG-KEY: http://www.identd.net/~mtm/mtm.asc
 mtm@identd.net | Fingerprint: D228 1A6F C64E 120A A1C9  A3AA DAE1 E2AF DBCC 68B9
Responsible-Changed-From-To: mtm->freebsd-bugs 
Responsible-Changed-By: mtm 
Responsible-Changed-When: Fri Jan 25 15:14:43 UTC 2008 
Responsible-Changed-Why:  
Return to the general pool in case anyone else is interested in pursuing this further. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=48318 

From: Jaakko Heinonen <jh@saunalahti.fi>
To: mtm@FreeBSD.org
Cc: bug-followup@FreeBSD.org
Subject: Re: bin/48318: Segmentation fault in sh with attached script
Date: Sun, 27 Jan 2008 12:26:25 +0200

 [PR bin/48318]
 > This patch is not optimum. It breaks some other things.
 
 Can you please elaborate on which other things the patch breaks.
 
Responsible-Changed-From-To: freebsd-bugs->stefanf 
Responsible-Changed-By: stefanf 
Responsible-Changed-When: Sat Mar 22 14:08:37 UTC 2008 
Responsible-Changed-Why:  
Grab. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=48318 
State-Changed-From-To: feedback->patched 
State-Changed-By: stefanf 
State-Changed-When: Sat Mar 22 14:08:49 UTC 2008 
State-Changed-Why:  
A fix has been committed to current. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=48318 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/48318: commit references a PR
Date: Sat, 22 Mar 2008 14:06:11 +0000 (UTC)

 stefanf     2008-03-22 14:06:01 UTC
 
   FreeBSD src repository
 
   Modified files:
     bin/sh               options.c 
   Log:
   Reset the internal state used for the 'getopts' built-in when 'shift' or 'set'
   are used to modify the arguments.  Not doing so caused random memory reads or
   null pointer dereferences when 'getopts' was called again later (SUSv3 says
   getopts produces unspecified results in this case).
   
   PR:     48318
   
   Revision  Changes    Path
   1.26      +2 -2      src/bin/sh/options.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: stefanf 
State-Changed-When: Sun Apr 20 18:10:24 UTC 2008 
State-Changed-Why:  
Merged to RELENG_6 and RELENG_7. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=48318 

From: Martin Kammerhofer <dada@sbox.tugraz.at>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/48318: Segmentation fault in sh with attached script
Date: Wed, 02 Jul 2008 17:41:49 +0200

 The commited patch breaks a lot of my scripts.
 The problem is this: In many sh-scripts I use boilerplate code like
 
    while getopts "...x..." option
    do
      case "$option" in
      (x) set -x;;
 
 Now, using -x actually make getopts enter an infinite loop. :-(
 A trivial solution relative to the already commited patch is this:
 <---cut here-----------
 --- /usr/src/bin/sh/options.c~	2008-04-20 20:08:46.000000000 +0200
 +++ /usr/src/bin/sh/options.c	2008-07-02 08:46:46.000000000 +0200
 @@ -339,6 +339,7 @@
   	shellparam.nparam = nparam;
   	shellparam.p = newparam;
   	shellparam.optnext = NULL;
 +	shellparam.reset = 1;
   }
 
 
 @@ -405,7 +406,6 @@
   	if (*argptr != NULL) {
   		setparam(argptr);
   	}
 -	shellparam.reset = 1;
   	INTON;
   	return 0;
   }
 
 
State-Changed-From-To: closed->open 
State-Changed-By: stefanf 
State-Changed-When: Thu Jul 3 17:57:51 UTC 2008 
State-Changed-Why:  
The fix seems to have introduced a new problem. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=48318 
State-Changed-From-To: open->patched 
State-Changed-By: stefanf 
State-Changed-When: Wed Aug 27 20:44:09 UTC 2008 
State-Changed-Why:  
I finally committed the fix you suggested to head. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=48318 
State-Changed-From-To: patched->closed 
State-Changed-By: stefanf 
State-Changed-When: Sun May 16 10:06:10 UTC 2010 
State-Changed-Why:  
The correction has been merged back in 2008. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=48318 
>Unformatted:
 >with attached script
