[Bug 13496] bb_unsetenv maybe free a NULL memory

bugzilla at busybox.net bugzilla at busybox.net
Fri Jan 29 05:09:04 UTC 2021


https://bugs.busybox.net/show_bug.cgi?id=13496

--- Comment #1 from Rein <luoruncai at 163.com> ---
busybox-1.32.1/libbb/xfuncs_printf.c:

void FAST_FUNC bb_unsetenv(const char *var)
{
        char onstack[128 - 16]; /* smaller stack setup code on x86 */
        char *tp;

        tp = strchr(var, '=');
        if (tp) {
                /* In case var was putenv'ed, we can't replace '='
                 * with NUL and unsetenv(var) - it won't work,
                 * env is modified by the replacement, unsetenv
                 * sees "VAR" instead of "VAR=VAL" and does not remove it!
                 * Horror :(
                 */
                unsigned sz = tp - var;
                if (sz < sizeof(onstack)) {
                        ((char*)mempcpy(onstack, var, sz))[0] = '\0';
                        //donot use mempcpy,this maybe abort the process
                        //I chage to snprintf(onstack, sz + 1, "%s", var); fix
it
                        tp = NULL;
                        var = onstack;
                } else {
                        /* unlikely: very long var name */
                        var = tp = xstrndup(var, sz);
                }
        }
        unsetenv(var);
        free(tp);  // --- tp maybe a NULL when sz < sizeof(onstack)
}

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list