netbsd-bugs: lib/25694: editline(3) el_set(..., EL

Subject: lib/25694: editline(3) el_set(..., EL_SETTY, ...) core dumps
To: None <gnats-bugs@gnats.NetBSD.org>
From: None <lukem@wasabisystems.com>
List: netbsd-bugs
Date: 05/24/2004 21:55:22

>Number:         25694
>Category:       lib
>Synopsis:       editline(3) el_set(..., EL_SETTY, ...) core dumps
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon May 24 11:56:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Luke Mewburn
>Release:        NetBSD 2.0C
>Organization:
Wasabi Systems
>Environment:
System: NetBSD argo 2.0C NetBSD 2.0C (LUKEM_SERVER) #0: Fri Apr 9 00:54:52 EST 2004 lukem@argo:/var/obj/i386/usr/src/sys/arch/i386/compile/LUKEM_SERVER i386
Architecture: i386
Machine: i386
>Description:
	Using
		el_set(el, EL_SETTY, "susp=", NULL);
	in an editline application results in a core dump.

	Observe that editline(3) documents EL_SETTY as:
		EL_SETTY, const char *, ..., NULL

	Using
		char buf[30];
		snprintf(buf, sizeof(buf), "susp=");
		el_set(el, EL_SETTY, buf, NULL);
	doesn't coredump.

>How-To-Repeat:
	Add
		el_set(wash_el, EL_SETTY, "susp=", NULL);
	to your editline capable program.
	Run it.
	Get a SEGV.

>Fix:
	Don't write to the const char **argv value in
	libedit/tty.c::tty_stty().

	This trivial patch solves the problem, but it may be too
	"ugly", so I'm sending it here for review.
	(Note the "char d[30]" assumption. "Mmm, hardcoded limits")


Index: tty.c
===================================================================
RCS file: /cvsroot/src/lib/libedit/tty.c,v
retrieving revision 1.20
diff -p -p -u -r1.20 tty.c
--- tty.c	18 Oct 2003 22:37:24 -0000	1.20
+++ tty.c	24 May 2004 11:39:16 -0000
@@ -1151,7 +1151,7 @@ tty_stty(EditLine *el, int argc __attrib
 	const ttymodes_t *m;
 	char x;
 	int aflag = 0;
-	const char *s, *d;
+	const char *s;
 	const char *name;
 	struct termios *tios = &el->el_tty.t_ex;
 	int z = EX_IO;
@@ -1228,7 +1228,7 @@ tty_stty(EditLine *el, int argc __attrib
 		return (0);
 	}
 	while (argv && (s = *argv++)) {
-		char *p;
+		char *p, d[30];
 		switch (*s) {
 		case '+':
 		case '-':
@@ -1238,8 +1238,8 @@ tty_stty(EditLine *el, int argc __attrib
 			x = '\0';
 			break;
 		}
-		d = s;
-		if ((p = strchr(s, '=')) != NULL)
+		strlcpy(d, s, sizeof(d));
+		if ((p = strchr(d, '=')) != NULL)
 			*p++ = '\0';
 		for (m = ttymodes; m->m_name; m++)
 			if (strcmp(m->m_name, d) == 0 &&
>Release-Note:
>Audit-Trail:
>Unformatted: