[Bug libc/13231] setenv ("NAME", NULL) corrupts environment

[Bug libc/13231] setenv ("NAME", NULL) corrupts environment

[robert.ancell at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13231

Robert Ancell <robert.ancell at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://launchpad.net/bugs/
                   |                            |861132

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13231] New: setenv ("NAME", NULL) corrupts environment

[robert.ancell at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13231

             Bug #: 13231
           Summary: setenv ("NAME", NULL) corrupts environment
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper.fsp@gmail.com
        ReportedBy: robert.ancell@gmail.com
    Classification: Unclassified


Created attachment 5948
  --> http://sourceware.org/bugzilla/attachment.cgi?id=5948
Proposed patch, which treats NULL value as "" (which I think is what the
current code intends).

setenv ("NAME", NULL) corrupts the environment. It doesn't seem specified what
the function should do when value is NULL, but the code does check for it - it
just does the wrong thing:

stdlib/setenv.c:
...
__add_to_environ (name, value, combined, replace)
...
  const size_t vallen = value != NULL ? strlen (value) + 1 : 0;
...
      memcpy (new_value, name, namelen);
      new_value[namelen] = '=';
      memcpy (&new_value[namelen + 1], value, vallen);
...

i.e. the new value is set to "NAME=" without the trailing nul character.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13231] setenv ("NAME", NULL) corrupts environment

[drepper.fsp at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13231

Ulrich Drepper <drepper.fsp at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID

--- Comment #1 from Ulrich Drepper <drepper.fsp at gmail dot com> 2011-10-15 14:16:43 UTC ---
The parameter is supposed to be a string pointer.  NULL is no string pointer,
neither is in most case -1 etc.  There is no way to catch invalid pointers and
any such effort would only hurt correct code.  Just fix your code.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13231] setenv ("NAME", NULL) corrupts environment

[robert.ancell at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13231

--- Comment #2 from Robert Ancell <robert.ancell at gmail dot com> 2011-10-16 22:04:08 UTC ---
Could you please consider changing this line then:
  const size_t vallen = value != NULL ? strlen (value) + 1 : 0;
to:
  const size_t vallen = strlen (value) + 1;

This is detecting that value is NULL, handling it, then causing a greater
problem later on in the function.  If value must be non NULL then a
segmentation fault is preferable to a memory corruption which is much harded to
diagnose.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13231] setenv ("NAME", NULL) corrupts environment

[drepper.fsp at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13231

--- Comment #3 from Ulrich Drepper <drepper.fsp at gmail dot com> 2011-10-29 20:18:42 UTC ---
(In reply to comment #2)
> Could you please consider changing this line then:

No, this would require unnecessary other changes.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13231] setenv ("NAME", NULL) corrupts environment

[ldv at altlinux dot org]

http://sourceware.org/bugzilla/show_bug.cgi?id=13231

--- Comment #4 from Dmitry V. Levin <ldv at altlinux dot org> 2011-10-29 23:17:07 UTC ---
(In reply to comment #3)
> (In reply to comment #2)
> > Could you please consider changing this line then:
> 
> No, this would require unnecessary other changes.

Since "value" and "combined" cannot be non-NULL altogether, the change is not
going to be so tremendous:

-  const size_t vallen = value != NULL ? strlen (value) + 1 : 0;
+  const size_t vallen = combined == NULL ? strlen (value) + 1 : 0;

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13231] setenv ("NAME", NULL) corrupts environment

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=13231

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |security-

-- 
You are receiving this mail because:
You are on the CC list for the bug.