[BusyBox 0001385]: Unsafe putenv() in mdev corrupts environment
bugs at busybox.net
bugs at busybox.net
Fri Jun 8 16:05:46 UTC 2007
A NOTE has been added to this issue.
======================================================================
http://busybox.net/bugs/view.php?id=1385
======================================================================
Reported By: eswierk
Assigned To: BusyBox
======================================================================
Project: BusyBox
Issue ID: 1385
Category: Other
Reproducibility: random
Severity: major
Priority: normal
Status: assigned
======================================================================
Date Submitted: 06-07-2007 11:34 PDT
Last Modified: 06-08-2007 09:05 PDT
======================================================================
Summary: Unsafe putenv() in mdev corrupts environment
Description:
An unsafe use of putenv() in mdev.c (BusyBox 1.5.1) occasionally corrupts
the environment, causing the spawned process to receive garbage in the
MDEV variable. This occurs only intermittenly, and only when mdev -s is
invoked explicitly.
If I understand the semantics of putenv(), it uses the passed string
directly, so the caller must not free it. Patch attached.
======================================================================
----------------------------------------------------------------------
Souf - 06-07-07 13:32
----------------------------------------------------------------------
I already sent a patch for Mdev, I attach it still here, tray it.
http://busybox.net/lists/busybox/2007-June/027588.html
http://busybox.net/lists/busybox/2007-May/027515.html
http://busybox.net/lists/busybox/2007-May/027416.html
http://busybox.net/lists/busybox/2007-May/027367.html
----------------------------------------------------------------------
vda - 06-08-07 09:05
----------------------------------------------------------------------
if (command) {
int rc;
- char *s;
- s = xasprintf("MDEV=%s", device_name);
- putenv(s);
+ setenv("MDEV", device_name, 1);
rc = system(command);
- s[4] = 0;
- putenv(s);
- free(s);
free(command);
if (rc == -1) bb_perror_msg_and_die("cannot run %s",
command);
}
s is freed after system() call. command will never get garbled
environment.
I'd just use unsetenv() instead of putenv() to make action clear(er).
Issue History
Date Modified Username Field Change
======================================================================
06-07-07 11:34 eswierk New Issue
06-07-07 11:34 eswierk Status new => assigned
06-07-07 11:34 eswierk Assigned To => BusyBox
06-07-07 11:34 eswierk File Added: busybox-202-mdev-putenv-bug.patch
06-07-07 11:40 eswierk Issue Monitored: eswierk
06-07-07 13:32 Souf Note Added: 0002462
06-07-07 13:33 Souf File Added: mdev.patch
06-08-07 09:05 vda Note Added: 0002468
======================================================================
More information about the busybox-cvs
mailing list