If I understand the semantics of putenv(), it uses the passed string directly, so the caller must not free it. Patch attached.
busybox-202-mdev-putenv-bug.patch [^] (455 bytes) 06-07-07 11:34 mdev.patch [^] (11,080 bytes) 06-07-07 13:33 
| Anonymous | Login | Signup for a new account | 11-10-2008 11:16 PST |
| Main | My View | View Issues | Change Log | Docs |
| Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
| 0001385 | [BusyBox] Other | major | random | 06-07-07 11:34 | 06-08-07 09:56 | ||||
| Reporter | eswierk | View Status | public | ||||||
| Assigned To | BusyBox | ||||||||
| Priority | normal | Resolution | fixed | ||||||
| Status | closed | Product Version | 1.4.x | ||||||
| Summary | 0001385: Unsafe putenv() in mdev corrupts environment | ||||||||
| Description |
An unsafe use of putenv() in mdev.c (BusyBox 1.5.1) occasionally corrupts the environment, causing the spawned process to receive garbage in the MDEV variable. This occurs only intermittenly, and only when mdev -s is invoked explicitly. If I understand the semantics of putenv(), it uses the passed string directly, so the caller must not free it. Patch attached. |
||||||||
| Additional Information | |||||||||
| Attached Files |
busybox-202-mdev-putenv-bug.patch [^] (455 bytes) 06-07-07 11:34 mdev.patch [^] (11,080 bytes) 06-07-07 13:33 |
||||||||
|
|
|||||||||
 Relationships |
|
|
Notes |
|
|
(0002462) Souf 06-07-07 13:32 |
I already sent a patch for Mdev, I attach it still here, tray it. http://busybox.net/lists/busybox/2007-June/027588.html [^] http://busybox.net/lists/busybox/2007-May/027515.html [^] http://busybox.net/lists/busybox/2007-May/027416.html [^] http://busybox.net/lists/busybox/2007-May/027367.html [^] |
|
(0002468) vda 06-08-07 09:05 |
if (command) { int rc; - char *s; - s = xasprintf("MDEV=%s", device_name); - putenv(s); + setenv("MDEV", device_name, 1); rc = system(command); - s[4] = 0; - putenv(s); - free(s); free(command); if (rc == -1) bb_perror_msg_and_die("cannot run %s", command); } s is freed after system() call. command will never get garbled environment. I'd just use unsetenv() instead of putenv() to make action clear(er). |
|
(0002469) vda 06-08-07 09:56 |
Closing. Code looks like this now: if (command) { /* setenv will leak memory, so use putenv */ char *s = xasprintf("MDEV=%s", device_name); putenv(s); if (system(command) == -1) bb_perror_msg_and_die("cannot run %s", command); s[4] = '\0'; unsetenv(s); free(s); free(command); } Souf, your mdev patches should be revieved and applied by a maintainer who is *actually using mdev*. Please bug them if they keep silent ;) |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 06-07-07 11:34 | eswierk | New Issue | |
| 06-07-07 11:34 | eswierk | Status | new => assigned |
| 06-07-07 11:34 | eswierk | Assigned To | => BusyBox |
| 06-07-07 11:34 | eswierk | File Added: busybox-202-mdev-putenv-bug.patch | |
| 06-07-07 11:40 | eswierk | Issue Monitored: eswierk | |
| 06-07-07 13:32 | Souf | Note Added: 0002462 | |
| 06-07-07 13:33 | Souf | File Added: mdev.patch | |
| 06-08-07 09:05 | vda | Note Added: 0002468 | |
| 06-08-07 09:56 | vda | Status | assigned => closed |
| 06-08-07 09:56 | vda | Note Added: 0002469 | |
| 06-08-07 09:56 | vda | Resolution | open => fixed |
| Copyright © 2000 - 2006 Mantis Group |  |
