--------------72D9E0D3A1206C32742A691
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
I noted with some surprise that this bug has not been corrected in
2.1.13, so here's a quick fix. We need to wait until a null terminator
exists between the interpreter path and any subsequent arguements
before performing a strcpy.
Steve
--------------72D9E0D3A1206C32742A691
Content-Type: text/plain; charset=us-ascii; name="binfmt_script.c.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="binfmt_script.c.diff"
*** binfmt_script.c.orig Fri Nov 22 17:58:16 1996
--- binfmt_script.c Sat Nov 23 12:23:23 1996
***************
*** 13,19 ****
static int do_load_script(struct linux_binprm *bprm,struct pt_regs *regs)
{
! char *cp, *i_name, *i_arg;
char interp[128];
int retval;
if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!') || (bprm->sh_bang))
--- 13,19 ----
static int do_load_script(struct linux_binprm *bprm,struct pt_regs *regs)
{
! char *cp, *i_name, *i_path, *i_arg;
char interp[128];
int retval;
if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!') || (bprm->sh_bang))
***************
*** 39,48 ****
break;
}
for (cp = bprm->buf+2; (*cp == ' ') || (*cp == '\t'); cp++);
! if (cp == '\0')
return -ENOEXEC; /* No interpreter name found */
! strcpy (interp, cp);
! i_name = cp;
i_arg = 0;
for ( ; *cp && (*cp != ' ') && (*cp != '\t'); cp++) {
if (*cp == '/')
--- 39,47 ----
break;
}
for (cp = bprm->buf+2; (*cp == ' ') || (*cp == '\t'); cp++);
! if (*cp == '\0')
return -ENOEXEC; /* No interpreter name found */
! i_name = i_path = cp;
i_arg = 0;
for ( ; *cp && (*cp != ' ') && (*cp != '\t'); cp++) {
if (*cp == '/')
***************
*** 50,55 ****
--- 49,55 ----
}
while ((*cp == ' ') || (*cp == '\t'))
*cp++ = '\0';
+ strcpy (interp, i_path);
if (*cp)
i_arg = cp;
/*
--------------72D9E0D3A1206C32742A691--