[Tcsh] PATCH: don't walk of the end of mesg[] on signal receipt

Walt Drummond walt at drummond.us
Sat Apr 17 16:03:58 UTC 2021


There is a remote possibility of a crash in tcsh when:
- a process is running in either foreground or background, and
- the kernel delivers a signal to the process where the default action
is to coredump AND the signal number sent is greater than NSIG (ie,
the kernel has more signals than user space, or an old tcsh is running
on a newer kernel).

In this case, tcsh will walk off the end of mesg[].

The small patch below (and attached in case Gmail mucks with the
formatting) avoids this possibility by checking the signal number sent
against NSIG before indexing mesg[].

--Walt

---------------------------------

diff -ru tcsh-6.22.03/sh.proc.c tcsh-6.22.03-sigfix/sh.proc.c
--- tcsh-6.22.03/sh.proc.c 2020-11-18 09:34:01.000000000 -0800
+++ tcsh-6.22.03-sigfix/sh.proc.c 2021-04-17 07:14:33.485857299 -0700
@@ -1100,7 +1100,9 @@
  int free_ptr;

  free_ptr = 0;
- ptr = (char *)(intptr_t)mesg[pp->p_reason & 0177].pname;
+ ptr = NULL;
+ if (pp->p_reason & 0177 <= NSIG)
+ ptr = (char *)(intptr_t)mesg[pp->p_reason & 0177].pname;
  if (ptr == NULL) {
      ptr = xasprintf("%s %d", CGETS(17, 5, "Signal"),
      pp->p_reason & 0177);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tcsh.patch
Type: text/x-patch
Size: 544 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/tcsh/attachments/20210417/9bd3e89b/attachment.bin>


More information about the Tcsh mailing list