Page MenuHomeFreeBSD
Differential D6482

Hopefully fix Coverity CID 1008328 in /bin/sh
ClosedPublic
Actions

Authored by truckman on May 21 2016, 5:59 AM.
Tags
None
Referenced Files
Unknown Object (File)
Feb 23 2024, 1:52 PM
Unknown Object (File)
Feb 1 2024, 2:39 PM
Unknown Object (File)
Jan 23 2024, 4:36 AM
Unknown Object (File)
Dec 20 2023, 12:54 AM
Unknown Object (File)
Oct 18 2023, 6:43 PM
Unknown Object (File)
Aug 18 2023, 10:55 AM
Unknown Object (File)
Aug 11 2023, 12:58 PM
Unknown Object (File)
Jul 5 2023, 9:43 PM
View All 24 Files
Subscribers
imp

Details

Reviewers
jilles
cem
Commits
rS301140: MFC r300442
rS300442: Hopefully fix Coverity CID 1008328 (Out-of-bounds write) in /bin/sh.
Summary

Replace the magic constant 127 in the loop interation count with
"PROMPTLEN - 1".

gethostname() is not guaranteed to NUL terminate the destination
string if it is too short. Decrease the length passed to
gethostname() by one, and add a NUL at the end of the buffer to
make sure the following loop to find the end of the name properly
terminates.

The default: case is the likely cause of Coverity CID 1008328.
If i is 126 at the top of the loop interation where the default
case is triggered, i will be incremented to 127 by the default
case, then incremented to 128 at the top of the loop before being
compared to 127 (PROMPTLENT - 1) and terminating the loop. Then
the NUL termination code after the loop will write to ps[128].

These fixes are not guaranteed to satisfy Coverity. The code that
increments i in the 'h'/'H' and 'w'/'W' cases may be beyond its
capability to analyze.

BTW, the 'h' and 'H' implementions are reversed vs the man page.
I did not attempt to fix that as part of this patch.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

truckman updated this revision to Diff 16655.May 21 2016, 5:59 AM
truckman retitled this revision from to Hopefully fix Coverity CID 1008328 in /bin/sh.
truckman updated this object.
truckman edited the test plan for this revision. (Show Details)
truckman added reviewers: jilles, cem.
Herald edited edge metadata. · View Herald TranscriptMay 21 2016, 5:59 AM
Herald added a subscriber: imp. · View Herald Transcript
jilles accepted this revision.May 21 2016, 10:15 PM
jilles edited edge metadata.

Looks good to me.

As for \h vs \H, this functionality is intended to match bash. Therefore, the code (including the comment) is correct and the man page is wrong.

This revision is now accepted and ready to land.May 21 2016, 10:15 PM
cem accepted this revision.May 22 2016, 11:08 PM
cem edited edge metadata.
Closed by commit rS300442: Hopefully fix Coverity CID 1008328 (Out-of-bounds write) in /bin/sh. (authored by truckman). · Explain WhyMay 23 2016, 1:01 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
head/
bin/
sh/
10 lines

Diff 16697

View Options

head/bin/sh/parser.c

Loading...