On Fri, 13 Jul 2007, Andrey Chernov wrote: > On Sun, Jul 08, 2007 at 09:17:27PM +0400, Andrey Chernov wrote: *snip* > [snip] > > I found another breakage case not covered by your last getenv() fix. > Take this simple program: > > -- a.c --------------------------------------------------------------- > #include <stdlib.h> > extern char **environ; > > main () { > > static char *nenv[2]; > > nenv[0] = "PATH=/bin"; > nenv[1] = NULL; > > /* > environ = nenv; > unsetenv("PATH"); or somethig like > which touch '=' char in nenv[0] > */ > > nenv[0][4] = '\0'; > > } > -- a.c --------------------------------------------------------------- *snip* > As you may see, compiler puts "PATH=/bin" to the program's .rodata > section which is placed to read only memory. > > If later you'll modify this single "PATH=/bin" (comes from "nenv" now) > by > *equals = '\0'; > ... > *equals = '='; > core dump happens, which simulated in my simple a.c example by > nenv[0][4] = '\0'; > > Just run it and got code dump. FreeBSD 6 will also dump if the length of the value was less than or equal to "/bin" since it reuses this string. This will core dump: nenv[0] = "PATH=/bin"; nenv[1] = NULL; environ = nenv; setenv("PATH", "/bin", 1); Sean -- scf_at_FreeBSD.orgReceived on Fri Jul 13 2007 - 17:39:48 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:14 UTC