This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/2703] envz_strip() works incorrectly

From: "rsa at us dot ibm dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sources dot redhat dot com
Date: 2 Jun 2006 15:10:10 -0000
Subject: [Bug libc/2703] envz_strip() works incorrectly
References: <20060529035214.2703.Joy.lists@gmail.com>
Reply-to: sourceware-bugzilla at sourceware dot org

------- Additional Comments From rsa at us dot ibm dot com  2006-06-02 15:10 -------
My tests (on i386 and ppc64) indicate that the problem is a little bit more
bizarre.  The function envz_strip() will successfully process successive strings
in a vector where the string's value isn't NULL.  It will then successfully
strip a successive sequence of strings where the value is null.  It will fail
with a segmentation violation upon encountering the next instance of a string
with a non-NULL value.

#include <stdio.h>
#include <envz.h>
#include <stdlib.h>

int main() {

        size_t size = 0;
        char **argz;
        char *str=malloc(63);
        argz = &str;

        memset(*argz, 0x00, 63);
        memcpy(*argz,
"arg1=value1\0arg2=value2\0arg3\0arg4\0arg5=value5\0arg6\0arg7=value7\0",63);
        size = 29;
        size = 34;
        size = 45;

        write(1, *argz, 63);
        printf("\nsize=%d\n", 63);
        printf("calling envz_strip with size=%d\n", size);
        envz_strip(argz, &size);

        write(1, *argz, size);
        printf("\nsize=%d\n", size);
        argz=0;

        free(str);
        return 0;
}

To test simply comment out two of the three 'size' assignments and witness the
behavior change.  It is successful until 'size' exceeds '34'.

The problem certainly is with the memmove() invocation in envz_strip():

arg1=value1arg2=value2arg3arg4arg5=value5arg6arg7=value7
size=63
calling envz_strip with size=45

Program received signal SIGSEGV, Segmentation fault.
0x10007cfc in _wordcopy_bwd_dest_aligned ()
(gdb) bt
#0  0x10007cfc in _wordcopy_bwd_dest_aligned ()
#1  0x10025604 in memmove ()
#2  0x10008008 in envz_strip ()
#3  0x100003c8 in main ()

I will test the proposed memmove invocation change in envz_strip() and report
the result.



-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=2703

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]