From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 25979 invoked by alias); 24 Jul 2005 21:11:57 -0000 Mailing-List: contact libc-hacker-help@sources.redhat.com; run by ezmlm Precedence: bulk List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-hacker-owner@sources.redhat.com Received: (qmail 25963 invoked by uid 22791); 24 Jul 2005 21:11:57 -0000 Received: from sunsite.ms.mff.cuni.cz (HELO sunsite.mff.cuni.cz) (195.113.15.26) by sourceware.org (qpsmtpd/0.30-dev) with ESMTP; Sun, 24 Jul 2005 21:11:57 +0000 Received: from sunsite.mff.cuni.cz (sunsite.mff.cuni.cz [127.0.0.1]) by sunsite.mff.cuni.cz (8.13.1/8.13.1) with ESMTP id j6OLBkB7031726; Sun, 24 Jul 2005 23:11:46 +0200 Received: (from jakub@localhost) by sunsite.mff.cuni.cz (8.13.1/8.13.1/Submit) id j6OLBk3Z031717; Sun, 24 Jul 2005 23:11:46 +0200 Date: Sun, 24 Jul 2005 21:11:00 -0000 From: Jakub Jelinek To: Ulrich Drepper Cc: Glibc hackers Subject: [PATCH] Fix execvp Message-ID: <20050724211145.GH15708@sunsite.mff.cuni.cz> Reply-To: Jakub Jelinek Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i X-SW-Source: 2005-07/txt/msg00043.txt.bz2 Hi! If execvp is called without PATH in environment and with a non-existent program, it crashes, as path passed to free is not the allocated buffer (but instead points to the beginning of last confstr (_CS_PATH, ...) path component, i.e. when the allocated buffer contains ":/bin:/usr/bin", free is called on malloc returned pointer + 6. To test for this safely in the testsuite, I guess we would need to first check if current directory (we have control over it), /bin and /usr/bin (we don't) don't contain "really nonexistent file" or something similar. 2005-07-24 Jakub Jelinek [BZ #1125] * posix/execvp.c (execvp): Change path_malloc to char *, free that pointer on failure. --- libc/posix/execvp.c.jj 2005-04-26 12:06:47.000000000 +0200 +++ libc/posix/execvp.c 2005-07-24 23:03:03.000000000 +0200 @@ -88,7 +88,7 @@ execvp (file, argv) else { char *path = getenv ("PATH"); - bool path_malloc = false; + char *path_malloc = NULL; if (path == NULL) { /* There is no `PATH' in the environment. @@ -100,7 +100,7 @@ execvp (file, argv) return -1; path[0] = ':'; (void) confstr (_CS_PATH, path + 1, len); - path_malloc = true; + path_malloc = path; } size_t len = strlen (file) + 1; @@ -108,8 +108,7 @@ execvp (file, argv) char *name = malloc (pathlen + len + 1); if (name == NULL) { - if (path_malloc) - free (path); + free (path_malloc); return -1; } /* Copy the file name at the top. */ @@ -190,8 +189,7 @@ execvp (file, argv) free (script_argv); free (name - pathlen); - if (path_malloc) - free (path); + free (path_malloc); } /* Return the error from the last attempt (probably ENOENT). */ Jakub