From 6a2682e80de236ad911916a095c5a1ce1f481ef3 Mon Sep 17 00:00:00 2001 From: wangjianyu3 Date: Sat, 12 Oct 2024 15:33:09 +0800 Subject: [PATCH 1/2] nshlib: Fix stack-buffer-overflow of nsh_redirect() Board/Config/Command sim:nsh cat < /etc/init.d/rc.sysinit Problem The NSH hangs after exec the test command. `nsh_redirect()` needs to save three fd but array length is only two, stack buffer overflowed! Related: https://github.com/apache/nuttx-apps/pull/2469 Signed-off-by: wangjianyu3 --- nshlib/nsh_console.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nshlib/nsh_console.h b/nshlib/nsh_console.h index a03ea664ace..31edf27e689 100644 --- a/nshlib/nsh_console.h +++ b/nshlib/nsh_console.h @@ -71,7 +71,7 @@ * See struct serialsave_s in nsh_console.c */ -#define SAVE_SIZE (2 * sizeof(int)) +#define SAVE_SIZE (3 * sizeof(int)) /* Are we using the NuttX console for I/O? Or some other character device? */ From ca74f6d36dbc7d59850598bd5cd756f16596f36e Mon Sep 17 00:00:00 2001 From: wangjianyu3 Date: Sat, 12 Oct 2024 16:37:17 +0800 Subject: [PATCH 2/2] nshlib: Fix a typo error of redirect Signed-off-by: wangjianyu3 --- nshlib/nsh_parse.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nshlib/nsh_parse.c b/nshlib/nsh_parse.c index 2c716946ff4..c2ccb2a21de 100644 --- a/nshlib/nsh_parse.c +++ b/nshlib/nsh_parse.c @@ -2855,10 +2855,12 @@ static int nsh_parse_command(FAR struct nsh_vtbl_s *vtbl, FAR char *cmdline) vtbl->np.np_redir_out = redirect_out_save; } + /* Free the redirected input file path */ + if (redirfile_in) { nsh_freefullpath(redirfile_in); - vtbl->np.np_redir_out = redirect_in_save; + vtbl->np.np_redir_in = redirect_in_save; } dynlist_free: