This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param
- From: "ppluzhnikov at google dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Mon, 09 Mar 2015 22:25:47 +0000
- Subject: [Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param
- Auto-submitted: auto-generated
- References: <bug-18043-131 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=18043
Paul Pluzhnikov <ppluzhnikov at google dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |FIXED
--- Comment #17 from Paul Pluzhnikov <ppluzhnikov at google dot com> ---
The test from comment #13 is invalid. Small repro:
#include <stdio.h>
#include <stdlib.h>
int main() {
setenv("Ca", NULL, 1);
char *p = getenv("Ca");
printf("p: %s\n", p);
return 0;
}
$ gcc t2.c
t2.c: In function âmainâ:
t2.c:5:3: warning: null argument where non-null required (argument 2)
[-Wnonnull]
setenv("Ca", NULL, 1);
^
That is, setenv(..., NULL, ...) is explicitly disallowed.
valgrind ./a.out
==30371== Invalid read of size 1
==30371== at 0x4A70A03: vfprintf
(/build/buildd/eglibc-2.19/stdio-common/vfprintf.c:1661)
==30371== by 0x4A79498: printf
(/build/buildd/eglibc-2.19/stdio-common/printf.c:33)
==30371== by 0x40060C: main (in /tmp/a.out)
==30371== Address 0x4dea2d3 is 0 bytes after a block of size 3 alloc'd
==30371== at 0x40307C4: malloc
(valgrind/coregrind/m_replacemalloc/vg_replace_malloc.c:270)
==30371== by 0x4A60C59: __add_to_environ
(/build/buildd/eglibc-2.19/stdlib/setenv.c:193)
==30371== by 0x40344BF: setenv (valgrind/memcheck/mc_replace_strmem.c:1643)
==30371== by 0x4005E8: main (in /tmp/a.out)
Now, arguably GLIBC could do something smarter and make these equivalent:
setenv("Ca", NULL, 1);
setenv("Ca", "", 1);
But if that NULL should be handled at all, it's a separate bug.
--
You are receiving this mail because:
You are on the CC list for the bug.