nortti
/
sortix-mirror
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix clearenv(3) leaving internal pointer alive after free. 

This causes use-after-free and double-free bugs when other environment
functions are subsequently called.
This commit is contained in:
Jonas 'Sortie' Termansen 2014-07-26 16:24:12 +02:00
parent 5f9da2a651
commit a8b8514272
2 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
libc/stdlib/clearenv.cpp
View File

@ -32,6 +32,7 @@ extern "C" int clearenv()
for ( size_t i = 0; environ[i]; i++ )
free(environ[i]);
free(environ);
__environ_malloced = NULL;
}
environ = NULL;
return 0;

7
libc/stdlib/setenv.cpp
View File

@ -42,7 +42,10 @@ static char* create_entry(const char* name, size_t name_length,
char* result = (char*) malloc(result_size);
if ( !result )
return NULL;
stpcpy(stpcpy(stpcpy(result, name), "="), value);
memcpy(result, name, name_length);
result[name_length] = '=';
memcpy(result + name_length + 1, value, value_length);
result[name_length + 1 + value_length] = '\0';
return result;
}
@ -73,7 +76,7 @@ static bool recover_environment()
for ( size_t i = 0; i < __environ_used; i++ )
free(__environ_malloced[i]);
free(__environ_malloced);
__environ_malloced = 0;
__environ_malloced = NULL;
__environ_length = 0;
__environ_used = 0;
}