Hi Mike
I have had a look at this. First of all I do not think the CVE is completely fixed even with the additional patch. I also do not fully understand how 6111-2.patch is supposed to work. More about this below.
Let us give some example commands.
[1] scp host:/foobar/a* b
[2] scp host:a* b
[3] scp -r host /foobar/a* b
[4] scp -r host a* b
My understanding is that only case 1 is protected by 6111-1.patch
6111-2.patch seems to protect against case 2.
But to my understanding we do not protect against 3 and 4. Am I missing something?
Anyway I have tried to see if I could reproduce the segfault. I do not know fully how you have tested it so I decided to copy the new code to a new test.c file and test different patterns.
The functionality as such seems to be working fine.
I did one change though to make it work. I changed xstrdup to strdup because I could not find link against it for some reason. Could that be your problem too?
Essentially my test.c file looks like this:
#include <sys/types.h>
#include <stdlib.h>
#include <bsd/stdlib.h>
#include <string.h>
#include <publib.h>
#define fatal sprintf
... the new functions code here ...
int testpattern(char* pattern) {
char **patterns = NULL;
size_t npatterns = 0;
int i = 0;
printf("==== Test pattern %s ====\n", pattern);
brace_expand(pattern, &patterns, &npatterns);
for (i = 0; i < npatterns; i++) {
printf("Pattern %d: %s\n", i, patterns[i]);
}
}
int main(int argc, char** argv) {
testpattern("filea");
testpattern("dira/filea");
testpattern("dira/file{a,b}");
testpattern("file{a,b}");
testpattern("file*");
testpattern("file{a,b}{c,d}");
testpattern("file{a,b}*");
testpattern("dir{a,b}*/d");
testpattern("dir{a,b}/file*{a,b}*");
}
I could not reproduce the crash. How did you reproduce it?
Best regards
// Ola