[Bug 195918] /bin/sh crash caused by a particular script

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sat Dec 13 01:23:10 UTC 2014


--- Comment #4 from jason.unovitch at gmail.com ---
An interesting observation to add, I can trigger this on my amd64 box but not
on my i386 router.  After further investigation, I found through using GDB on
an old 9.1 VM with bin/sh compiled with debuging that expand.c runs atoi and
uses the negative number it receives to read from an array index.  I've
attached the diff but it's crude and I don't think this is the "right" solution
but does prevent any seg faults and errors out cleanly with the bad

64 bit:

FreeBSD xts-bsd 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11
21:02:49 UTC 2014     root at releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC
jason at xts-bsd:/usr/src/bin/sh % sh
$ echo b=${1985234857347568347:12:5}
Segmentation fault

32 bit:

FreeBSD xts-rtr 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274562M: Sun Nov 16
07:37:32 UTC 2014    
root at xts-bsd:/usr/obj/nanobsd.soekris/i386.i386/usr/src/sys/GENERIC  i386
jason at xts-rtr:~ % sh
$ echo b=${1985234857347568347:12:5}
${1985234857347568347:1...}: Bad substitution

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list