Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.1 6/24/83; site wacsvax.OZ
Path: utzoo!watmath!clyde!burl!ulysses!allegra!mit-eddie!genrad!decvax!mulga!munnari!basser!wacsvax!glenn
From: glenn@wacsvax.OZ (Glenn Huxtable)
Newsgroups: net.bugs.4bsd
Subject: Re: bug in CSH (history)
Message-ID: <161@wacsvax.OZ>
Date: Wed, 24-Oct-84 21:30:25 EST
Article-I.D.: wacsvax.161
Posted: Wed Oct 24 21:30:25 1984
Date-Received: Thu, 8-Nov-84 00:51:08 EST
References: <56@pixutl.UUCP>
Organization: Comp. Sci. University of Western Australia.
Lines: 62

A fix was reported for a bug in scanning 'history' command arguments
of CSH. I installed this fix, to find another bug. The fix was given as ...

	>2) The validity of the flags is not checked and since the argument 
	>   pointer is only incremented when a valid flag is found, using a
	>    wrong flag throws the Cshell in a loop.
	>2) in sh.hist.c, change the following lines in dohist():
	>	vp++;
	>	while (*vp && *vp[0] == '-') {
	>		if (*vp && eq(*vp, "-h")) {
	>			hflg++;
	>			vp++;
	>		}
	>		if (*vp && eq(*vp, "-r")) {
	>			rflg++;
	>			vp++;
	>		}
	>	}
	>to:
	>	while (*++vp && **vp == '-') {
	>		while(*++*vp)
	>			switch(**vp) {
	>			case 'h':
	>				hflg++; break;
	>			case 'r':
	>				rflg++; break;
	>			case '-': /* ignore multiple '-'s */
	>				break;
	>			default:
	>				printf("Unknown flag: -%c\n", **vp);
	>				error("Usage: history [-rh] [# of events]");
	>			}
	>	}

The fix introduced another bug, as the line 'while(*++*vp)' modifies the
argument pointer in scanning through the argument. Later CSH tries to use this
pointer (which now points to the end of the argument) to free the memory
used to store the command. Free (malloc) gets an mfree botch and CSH dies.
The solution is to use a local pointer 'vp2' say the fix becomes ...

=>	char *vp2;
	...
	while (*++vp && **vp == '-') {
=>		vp2 = *vp;
=>		while(*++vp2)
=>			switch(*vp2) {
			case 'h':
				hflg++; break;
			case 'r':
				rflg++; break;
			case '-': /* ignore multiple '-'s */
				break;
			default:
=>				printf("Unknown flag: -%c\n", *vp2);
				error("Usage: history [-rh] [# of events]");
			}
	}
-----------------------------------------------------
Glenn Huxtable					Department of Computer Science
						University of Western Australia
USENET:		...decvax!mulga!wacsvax!glenn
OZNET:		glenn:wacsvax