[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

["ppluzhnikov at google dot com" <sourceware-bugzilla at sourceware dot org>]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

Paul Pluzhnikov <ppluzhnikov at google dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #17 from Paul Pluzhnikov <ppluzhnikov at google dot com> ---
The test from comment #13 is invalid. Small repro:

#include <stdio.h>
#include <stdlib.h>

int main() {
  setenv("Ca", NULL, 1);
  char *p = getenv("Ca");
  printf("p: %s\n", p);
  return 0;
}


$ gcc t2.c
t2.c: In function âmainâ:
t2.c:5:3: warning: null argument where non-null required (argument 2)
[-Wnonnull]
   setenv("Ca", NULL, 1);
   ^

That is, setenv(..., NULL, ...) is explicitly disallowed.


valgrind ./a.out

==30371== Invalid read of size 1
==30371==    at 0x4A70A03: vfprintf
(/build/buildd/eglibc-2.19/stdio-common/vfprintf.c:1661)
==30371==    by 0x4A79498: printf
(/build/buildd/eglibc-2.19/stdio-common/printf.c:33)
==30371==    by 0x40060C: main (in /tmp/a.out)
==30371==  Address 0x4dea2d3 is 0 bytes after a block of size 3 alloc'd
==30371==    at 0x40307C4: malloc
(valgrind/coregrind/m_replacemalloc/vg_replace_malloc.c:270)
==30371==    by 0x4A60C59: __add_to_environ
(/build/buildd/eglibc-2.19/stdlib/setenv.c:193)
==30371==    by 0x40344BF: setenv (valgrind/memcheck/mc_replace_strmem.c:1643)
==30371==    by 0x4005E8: main (in /tmp/a.out)


Now, arguably GLIBC could do something smarter and make these equivalent:

  setenv("Ca", NULL, 1);
  setenv("Ca", "", 1);

But if that NULL should be handled at all, it's a separate bug.

-- 
You are receiving this mail because:
You are on the CC list for the bug.