On 10/9/14, 4:50 PM, Eduardo A. Bustamante López wrote:
> Second, once you generate a command, how will your test program know
> if it found a bug? It's easy when bash segfaults, but in the case of
> shellshock, it wasn't a crash.
This is the problem. It's hard to tell whether bash reporting a syntax
error is a true syntax error, or a bug. The odds are considerably in
favor of the former, which make it hard to weed out the false positives.
You can use an environment variable in the form of an exported function
to test the parser, or run bash with the -n option, to minimize potential
damage to your system.
The fact that Michal's fuzzer found bugs that had been in bash for years
and never reported is a testament to the value of the approach. It just
takes a lot of work to wade through the results.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU c...@case.edu http://cnswww.cns.cwru.edu/~chet/
