[Bug 13496] bb_unsetenv maybe free a NULL memory
bugzilla at busybox.net
bugzilla at busybox.net
Fri Jan 29 05:09:04 UTC 2021
https://bugs.busybox.net/show_bug.cgi?id=13496
--- Comment #1 from Rein <luoruncai at 163.com> ---
busybox-1.32.1/libbb/xfuncs_printf.c:
void FAST_FUNC bb_unsetenv(const char *var)
{
char onstack[128 - 16]; /* smaller stack setup code on x86 */
char *tp;
tp = strchr(var, '=');
if (tp) {
/* In case var was putenv'ed, we can't replace '='
* with NUL and unsetenv(var) - it won't work,
* env is modified by the replacement, unsetenv
* sees "VAR" instead of "VAR=VAL" and does not remove it!
* Horror :(
*/
unsigned sz = tp - var;
if (sz < sizeof(onstack)) {
((char*)mempcpy(onstack, var, sz))[0] = '\0';
//donot use mempcpy,this maybe abort the process
//I chage to snprintf(onstack, sz + 1, "%s", var); fix
it
tp = NULL;
var = onstack;
} else {
/* unlikely: very long var name */
var = tp = xstrndup(var, sz);
}
}
unsetenv(var);
free(tp); // --- tp maybe a NULL when sz < sizeof(onstack)
}
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list