[Bug 13496] New: bb_unsetenv maybe free a NULL memory

bugzilla at busybox.net bugzilla at busybox.net
Fri Jan 29 04:34:37 UTC 2021


https://bugs.busybox.net/show_bug.cgi?id=13496

            Bug ID: 13496
           Summary: bb_unsetenv maybe free a NULL memory
           Product: Busybox
           Version: 1.32.x
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Networking
          Assignee: unassigned at busybox.net
          Reporter: luoruncai at 163.com
                CC: busybox-cvs at busybox.net
  Target Milestone: ---

In the version 1.32.1,in file: busybox-1.32.1/libbb/xfuncs_printf.c

fuction: void FAST_FUNC bb_unsetenv(const char *var):

the origin code is bellow:
void FAST_FUNC bb_unsetenv(const char *var)
{
        char onstack[128 - 16]; /* smaller stack setup code on x86 */
        char *tp;

        tp = strchr(var, '=');
        if (tp) {
                /* In case var was putenv'ed, we can't replace '='
                 * with NUL and unsetenv(var) - it won't work,
                 * env is modified by the replacement, unsetenv
                 * sees "VAR" instead of "VAR=VAL" and does not remove it!
                 * Horror :(
                 */
                unsigned sz = tp - var;
                if (sz < sizeof(onstack)) {
                        ((char*)mempcpy(onstack, var, sz))[0] = '\0';
                        tp = NULL;
                        var = onstack;
                } else {
                        /* unlikely: very long var name */
                        var = tp = xstrndup(var, sz);
                }
        }
        unsetenv(var);
        free(tp);  // --- tp maybe a NULL when sz < sizeof(onstack)
}


so, my idea is :
if (tp != NULL) free(tp);


Thanks.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list