Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <alpine.LNX.2.20.1603050844370.31711@monopod.intra.ispras.ru>
Date: Sat, 5 Mar 2016 09:01:54 +0300 (MSK)
From: Alexander Monakov <amonakov@...ras.ru>
To: musl@...ts.openwall.com
Subject: Re: [PATCH] slim down and avoid undefined behavior in
 unsetenv

On Sat, 5 Mar 2016, Rich Felker wrote:
> > -char **__env_map;
> > +static char **__env_map;
> > +
> > +void __env_free(char *p)
> > +{
> > +	if (__env_map)
> 
> Perhaps if (!__env_map) return; to avoid gratuitous indention of the
> whole rest of the function?

I don't mind; I did consider this point and went with this style because
indent increase is not too bad and it's a bit easier to see that it just
guards the for loop. But I can change it when resubmitting the patch.

> Aside from that, I really like this, especially making __env_map
> private. But perhaps we should rename it not to use __ prefix now that
> it's static?

Indeed, I haven't noticed that. Personally I'd prefer to make the rename a
separate patch, though.

> >  extern char **__environ;
> > -extern char **__env_map;
> > +
> > +static void dummy(char *p) {}
> > +weak_alias(dummy, __env_free);
> 
> This makes it so unsetenv no longer requires full malloc, I think,
> right? Nice.

That was your idea from the previous discussion :)

> > +	for (char **e = __environ; *e; )
> > +		if (!memcmp(name, *e, l) && l[*e] == '=') {
> > +			char **ee = e, *tmp = *e;
> > +			do *ee = *(ee+1);
> > +			while (*++ee);
> 
> We could use memmove here but I'm not sure if it's nicer or not.

I guess not, without additional code tracking current size?..

> > +			__env_free(tmp);
> > +		} else
> > +			e++;
> 
> As a matter of style, if the 'if' body is a block I generally try to
> do the same for the else.

In that case I'd like to make that change while swapping the if/else branches
around.

> Also we're not using clause-1 declarations in for statements elsewhere
> in musl afaik, but I'm not opposed to adopting their use where it
> makes sense.

There were a few instances of 'for (int i=0; ...)' already so I felt I have a
license to do this :)

> I think the loop logic might be clearer with indices instead of
> pointers, but I'm not sure. Is there a reason you preferred switching
> to pointers?

Well, the whole thing started with removing benign undefined behavior, so I
felt it's in line to remove int-indexing (not ssize_t) on an unbounded array.
Apart from that, I like more how the 'for' statement reads with this change.

> One nice (I think; others may disagree) aspect of indices
> is that instead of the if/else we could just have an unconditional i++
> in the for's expression-3 and an i-- inside the if block.

Yeah, that's a bit of a loss, but I hope it's alright and not too obfuscated.

> These are all minor comments, and the patch looks like it could be
> okay as-is. I didn't see any bugs. Have you done any testing?

Nope, sorry; I'm not dogfooding musl.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.