From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-hacker-return-8525-listarch-libc-hacker=sources.redhat.com@sources.redhat.com>
Received: (qmail 25979 invoked by alias); 24 Jul 2005 21:11:57 -0000
Mailing-List: contact libc-hacker-help@sources.redhat.com; run by ezmlm
Precedence: bulk
List-Subscribe: <mailto:libc-hacker-subscribe@sources.redhat.com>
List-Archive: <http://sources.redhat.com/ml/libc-hacker/>
List-Post: <mailto:libc-hacker@sources.redhat.com>
List-Help: <mailto:libc-hacker-help@sources.redhat.com>, <http://sources.redhat.com/ml/#faqs>
Sender: libc-hacker-owner@sources.redhat.com
Received: (qmail 25963 invoked by uid 22791); 24 Jul 2005 21:11:57 -0000
Received: from sunsite.ms.mff.cuni.cz (HELO sunsite.mff.cuni.cz) (195.113.15.26)
    by sourceware.org (qpsmtpd/0.30-dev) with ESMTP; Sun, 24 Jul 2005 21:11:57 +0000
Received: from sunsite.mff.cuni.cz (sunsite.mff.cuni.cz [127.0.0.1])
	by sunsite.mff.cuni.cz (8.13.1/8.13.1) with ESMTP id j6OLBkB7031726;
	Sun, 24 Jul 2005 23:11:46 +0200
Received: (from jakub@localhost)
	by sunsite.mff.cuni.cz (8.13.1/8.13.1/Submit) id j6OLBk3Z031717;
	Sun, 24 Jul 2005 23:11:46 +0200
Date: Sun, 24 Jul 2005 21:11:00 -0000
From: Jakub Jelinek <jakub@redhat.com>
To: Ulrich Drepper <drepper@redhat.com>
Cc: Glibc hackers <libc-hacker@sources.redhat.com>
Subject: [PATCH] Fix execvp
Message-ID: <20050724211145.GH15708@sunsite.mff.cuni.cz>
Reply-To: Jakub Jelinek <jakub@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.1i
X-SW-Source: 2005-07/txt/msg00043.txt.bz2

Hi!

If execvp is called without PATH in environment and with
a non-existent program, it crashes, as path passed to
free is not the allocated buffer (but instead points to
the beginning of last confstr (_CS_PATH, ...) path component,
i.e. when the allocated buffer contains ":/bin:/usr/bin",
free is called on malloc returned pointer + 6.
To test for this safely in the testsuite, I guess we would need
to first check if current directory (we have control over it),
/bin and /usr/bin (we don't) don't contain "really nonexistent file"
or something similar.

2005-07-24  Jakub Jelinek  <jakub@redhat.com>

	[BZ #1125]
	* posix/execvp.c (execvp): Change path_malloc to
	char *, free that pointer on failure.

--- libc/posix/execvp.c.jj	2005-04-26 12:06:47.000000000 +0200
+++ libc/posix/execvp.c	2005-07-24 23:03:03.000000000 +0200
@@ -88,7 +88,7 @@ execvp (file, argv)
   else
     {
       char *path = getenv ("PATH");
-      bool path_malloc = false;
+      char *path_malloc = NULL;
       if (path == NULL)
 	{
 	  /* There is no `PATH' in the environment.
@@ -100,7 +100,7 @@ execvp (file, argv)
 	    return -1;
 	  path[0] = ':';
 	  (void) confstr (_CS_PATH, path + 1, len);
-	  path_malloc = true;
+	  path_malloc = path;
 	}
 
       size_t len = strlen (file) + 1;
@@ -108,8 +108,7 @@ execvp (file, argv)
       char *name = malloc (pathlen + len + 1);
       if (name == NULL)
 	{
-	  if (path_malloc)
-	    free (path);
+	  free (path_malloc);
 	  return -1;
 	}
       /* Copy the file name at the top.  */
@@ -190,8 +189,7 @@ execvp (file, argv)
 
       free (script_argv);
       free (name - pathlen);
-      if (path_malloc)
-	free (path);
+      free (path_malloc);
     }
 
   /* Return the error from the last attempt (probably ENOENT).  */

	Jakub