[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LNX.2.20.1601041818480.29953@monopod.intra.ispras.ru>
Date: Mon, 4 Jan 2016 18:47:36 +0300 (MSK)
From: Alexander Monakov <amonakov@...ras.ru>
To: musl@...ts.openwall.com
Subject: Re: [PATCH] fix use of pointer after free in unsetenv
On Mon, 4 Jan 2016, Alexander Monakov wrote:
> To me the implementation looks weird due to how it restarts scanning __environ
> with 'goto again' from position 0 instead of current position. I can propose
> the following rewrite (untested):
>
> for (i=0; __environ[i]; i++) {
> char *e = __environ[i];
> if (!memcmp(name, e, l) && e[l] == '=') {
> for (j=i--; __environ[j]; j++)
> __environ[j] = __environ[j+1];
> if (__env_map) {
> for (j=0; __env_map[j] && __env_map[j] != e; j++);
> if (__env_map[j]) {
> free(__env_map[j]);
> do __env_map[j] = __env_map[j+1];
> while (__env_map[++j]);
> }
> }
> }
> }
Hm, there's no need to preserve relative order of env entries, is there?
for (i=0; __environ[i]; i++);
for (int im=i-1; i-->0; )
if (!memcmp(name, __environ[i], l) && __environ[i][l] == '=') {
if (__env_map) {
for (j=0; __env_map[j]; j++);
for (int jm=j-1; j-->0; )
if (__env_map[j] == __environ[i]) {
__env_map[j] = __env_map[jm];
__env_map[jm] = 0;
free(__environ[i]);
break;
}
}
if (i != im)
__environ[i] = __environ[im];
__environ[im--] = 0;
}
(in practice I'd rather spell i-->0 as --i>=0 above)
Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
