[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160104030558.GT238@brightrain.aerifal.cx>
Date: Sun, 3 Jan 2016 22:05:58 -0500
From: Rich Felker <dalias@...c.org>
To: musl@...ts.openwall.com
Subject: Re: [PATCH] fix use of pointer after free in unsetenv
On Mon, Jan 04, 2016 at 02:09:44AM +0300, Alexander Cherepanov wrote:
> Hi!
>
> The code in [1] uses a pointer which was freed and hence has an
> indeterminate value. Patch attached.
>
> [1] http://git.musl-libc.org/cgit/musl/tree/src/env/unsetenv.c#n23
The bug sounds a lot scarier than it actually is. I don't think any
compilers will break this yet but it is indeed UB.
> >From f446b5811a8abc08bcc8202aa241dce82d4c917d Mon Sep 17 00:00:00 2001
> From: Alexander Cherepanov <cherepan@...me.ru>
> Date: Mon, 4 Jan 2016 01:40:03 +0300
> Subject: [PATCH] fix use of pointer after free in unsetenv
>
> the value of a pointer becomes indeterminate after free() so delay free()
> until the pointer is not needed anymore.
>
> ---
> src/env/unsetenv.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/src/env/unsetenv.c b/src/env/unsetenv.c
> index 3569335..b5d8b19 100644
> --- a/src/env/unsetenv.c
> +++ b/src/env/unsetenv.c
> @@ -19,9 +19,10 @@ again:
> if (__environ[i]) {
> if (__env_map) {
> for (j=0; __env_map[j] && __env_map[j] != __environ[i]; j++);
> - free (__env_map[j]);
> + char *t =__env_map[j];
> for (; __env_map[j]; j++)
> __env_map[j] = __env_map[j+1];
> + free (t);
Wouldn't something like this be simpler:
do __env_map[j] = __env_map[j+1];
while (__env_map[++j]);
Rich
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
