[Bug 13496] New: bb_unsetenv maybe free a NULL memory
bugzilla at busybox.net
bugzilla at busybox.net
Fri Jan 29 04:34:37 UTC 2021
https://bugs.busybox.net/show_bug.cgi?id=13496
Bug ID: 13496
Summary: bb_unsetenv maybe free a NULL memory
Product: Busybox
Version: 1.32.x
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Networking
Assignee: unassigned at busybox.net
Reporter: luoruncai at 163.com
CC: busybox-cvs at busybox.net
Target Milestone: ---
In the version 1.32.1,in file: busybox-1.32.1/libbb/xfuncs_printf.c
fuction: void FAST_FUNC bb_unsetenv(const char *var):
the origin code is bellow:
void FAST_FUNC bb_unsetenv(const char *var)
{
char onstack[128 - 16]; /* smaller stack setup code on x86 */
char *tp;
tp = strchr(var, '=');
if (tp) {
/* In case var was putenv'ed, we can't replace '='
* with NUL and unsetenv(var) - it won't work,
* env is modified by the replacement, unsetenv
* sees "VAR" instead of "VAR=VAL" and does not remove it!
* Horror :(
*/
unsigned sz = tp - var;
if (sz < sizeof(onstack)) {
((char*)mempcpy(onstack, var, sz))[0] = '\0';
tp = NULL;
var = onstack;
} else {
/* unlikely: very long var name */
var = tp = xstrndup(var, sz);
}
}
unsetenv(var);
free(tp); // --- tp maybe a NULL when sz < sizeof(onstack)
}
so, my idea is :
if (tp != NULL) free(tp);
Thanks.
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list