From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 116164 invoked by alias); 11 Mar 2015 16:20:02 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org Received: (qmail 116070 invoked by uid 48); 11 Mar 2015 16:19:53 -0000 From: "carlos at redhat dot com" To: glibc-bugs@sourceware.org Subject: [Bug libc/18096] null deref in wordexp/parse_dollars/parse_arith Date: Wed, 11 Mar 2015 16:20:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: libc X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: carlos at redhat dot com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2015-03/txt/msg00130.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=18096 --- Comment #8 from Carlos O'Donell --- (In reply to Andreas Schwab from comment #6) > Where does the standard require the suppression of the side effects? It doesn't, it leaves it up to the implementation. POSIX does mention this: ~~~ Unless WRDE_SHOWERR is set in flags, wordexp() shall redirect stderr to /dev/null for any utilities executed as a result of command substitution while expanding words. If WRDE_SHOWERR is set, wordexp() may write messages to stderr if syntax errors are detected while expanding words; however, it is unspecified whether any write errors encountered while outputting such messages will affect the stderr error indicator or the value of errno. ~~~ It would still seem to me that the principle of least surprise is that when I call wordexp to do trivial shell expansion it should not print anything by default, like is done for utilities. POSIX says: ~~~ The expansions shall be the same as would be performed by the command line interpreter if words were the part of a command line representing the arguments to a utility. ~~~ Which in my opinion means that the *expansion* is the only part that will be the *same* was would be performed on the command line. The side-effect of ${VAR?} expanding and printing an error is potentially relevant, but I think should be guarded by WRDE_SHOWERR. Therefore the suggested fix would be: diff --git a/posix/wordexp.c b/posix/wordexp.c index e3d8d6b..e66b459 100644 --- a/posix/wordexp.c +++ b/posix/wordexp.c @@ -1836,11 +1836,11 @@ envsubst: if (!colon_seen && value) /* Substitute NULL */ ; - else + else if (flags & WRDE_SHOWERR) { const char *str = pattern; - if (str[0] == '\0') + if (str == NULL || str[0] == '\0') str = _("parameter null or not set"); __fxprintf (NULL, "%s: %s\n", env, str); --- #include #include #include #include int main() { int i; char *p = strdup("${VAR?}"); char **res; wordexp_t w; wordexp(p, &w, 0); res = w.we_wordv; for (i = 0; i < w.we_wordc; i++) printf("%s\n", res[i]); wordfree(&w); return 0; } * Before the fix crashes. * After the fix, but without checking WRDE_SHOWERR it prints: VAR: parameter null or not set * After the fix, and honouring WRDE_SHOERR it prints nothing. -- You are receiving this mail because: You are on the CC list for the bug.