From 557482c1cbeacaeb24247738b09983a0736d407a Mon Sep 17 00:00:00 2001 From: Denys Vlasenko Date: Sun, 25 Sep 2016 21:24:04 +0200 Subject: [PATCH] ash: in heredoc code, fix access past the end of allocated memory. Closes 9276 Signed-off-by: Denys Vlasenko --- shell/ash.c | 34 +++++++++++++++++++--------------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/shell/ash.c b/shell/ash.c index 578b3dc22..a113ff155 100644 --- a/shell/ash.c +++ b/shell/ash.c @@ -5112,8 +5112,26 @@ openredirect(union node *redir) char *fname; int f; - fname = redir->nfile.expfname; switch (redir->nfile.type) { +/* Can't happen, our single caller does this itself */ +// case NTOFD: +// case NFROMFD: +// return -1; + case NHERE: + case NXHERE: + return openhere(redir); + } + + /* For N[X]HERE, reading redir->nfile.expfname would touch beyond + * allocated space. Do it only when we know it is safe. + */ + fname = redir->nfile.expfname; + + switch (redir->nfile.type) { + default: +#if DEBUG + abort(); +#endif case NFROM: f = open(fname, O_RDONLY); if (f < 0) @@ -5146,20 +5164,6 @@ openredirect(union node *redir) if (f < 0) goto ecreate; break; - default: -#if DEBUG - abort(); -#endif - /* Fall through to eliminate warning. */ -/* Our single caller does this itself */ -// case NTOFD: -// case NFROMFD: -// f = -1; -// break; - case NHERE: - case NXHERE: - f = openhere(redir); - break; } return f;