On Sun, Jul 08, 2007 at 09:17:27PM +0400, Andrey Chernov wrote: > Hmm. I just think a bit more and feel worry about that place in the merge > code: > > *equals = '\0'; > if (setenv(*env, equals + 1, 1) == -1) > return (-1); > *equals = '='; > because it modifies memory which may be treated like const one. > > Consider following scenario: getenv() is not thread-safe, but may be [snip] I found another breakage case not covered by your last getenv() fix. Take this simple program: -- a.c ------------------------------------------------------------------- #include <stdlib.h> extern char **environ; main () { static char *nenv[2]; nenv[0] = "PATH=/bin"; nenv[1] = NULL; /* environ = nenv; unsetenv("PATH"); or somethig like which touch '=' char in nenv[0] */ nenv[0][4] = '\0'; } -- a.c ------------------------------------------------------------------- Look at assembler code first: cc -S a.c cat a.s .file "a.c" .local nenv.1948 .comm nenv.1948,8,4 .section .rodata .LC0: .string "PATH=/bin" .text [skipped] As you may see, compiler puts "PATH=/bin" to the program's .rodata section which is placed to read only memory. If later you'll modify this single "PATH=/bin" (comes from "nenv" now) by *equals = '\0'; ... *equals = '='; core dump happens, which simulated in my simple a.c example by nenv[0][4] = '\0'; Just run it and got code dump. -- http://ache.pp.ru/Received on Fri Jul 13 2007 - 14:27:45 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:14 UTC