Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.LNX.2.20.1601050020380.30584@monopod.intra.ispras.ru>
Date: Tue, 5 Jan 2016 00:28:12 +0300 (MSK)
From: Alexander Monakov <amonakov@...ras.ru>
To: musl@...ts.openwall.com
Subject: Re: [PATCH] fix use of pointer after free in unsetenv

On Mon, 4 Jan 2016, Rich Felker wrote:
> On Mon, Jan 04, 2016 at 06:47:36PM +0300, Alexander Monakov wrote:
> > On Mon, 4 Jan 2016, Alexander Monakov wrote:
> > > To me the implementation looks weird due to how it restarts scanning __environ
> > > with 'goto again' from position 0 instead of current position. I can propose
> > > the following rewrite (untested):
> 
> The "goto again" is for the rare (generally malicious) case of
> duplicate definitions, to ensure that unsetenv removes them all.

Yes, but my point was that rewinding all the way back to i=0 looks odd -- I
understood the need to scan all entries.

> > Hm, there's no need to preserve relative order of env entries, is there?
> 
> Yes, there is. If FOO=x and FOO=y both appear in environ[],
> unsetenv("BAR") must not cause getenv("FOO") to change from "x" to
> "y".

Thanks, I did not consider that. I'm curious, is that just from QoI
perspective, or also required somewhere?

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.