Eggheads: Crash bug in wire.mod, and patch to fix

Bryan Donlan bdonlan at uvmonkey.no-ip.org
Sat Feb 28 17:11:05 CST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have discovered a bug in wire.mod which can cause a crash. wire.c does the
following:
static cmd_t wire_bot[] = {
  {0, 0, 0, 0},                 /* Saves having to malloc :P */
};

and later:
    wire_bot[0].name = wirecmd;
    wire_bot[0].flags = "";
    wire_bot[0].func = (Function) wire_filter;
    add_builtins(H_bot, wire_bot);

However, add_builtins expects that the last element of wire_bot contain a
 NULL ->name. This causes wire_bot[1] to be dereferenced, which causes
 undefined behavior. Depending on how the bss segment is allocated,
 wire_bot[1]->name may be non-null, leading to the other elements (which may
 be invalid) to be dereferenced. The attached patch corrects this.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAQSAN+hz2VlChukwRAm7eAJ911b8U5w8UrT8BFp7mWO1/vMulGgCgumZI
CCjbgToOK6hp4FG5LdZIU5o=
=kcDM
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eggdrop1.6.15-wirecrash.patch
Type: application/octet-stream
Size: 385 bytes
Desc: not available
URL: <http://lists.eggheads.org/pipermail/eggheads/attachments/20040228/a6689486/attachment.obj>


More information about the Eggheads mailing list