Subject: lib/12393: segfault in setenv(3)
To: None <gnats-bugs@gnats.netbsd.org>
From: Simon J. Gerraty <sjg@quick.com.au>
List: netbsd-bugs
Date: 03/12/2001 09:56:35
>Number: 12393
>Category: lib
>Synopsis: when memory runs low, setenv(3) can segfault.
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: lib-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Mar 12 09:58:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator: Simon J. Gerraty
>Release: 2001-03-05
>Organization:
Zen Programming...
>Environment:
System: NetBSD zen.quick.com.au 1.4.2 NetBSD 1.4.2 (ZEN) #2: Wed Mar 22 01:07:26 EST 2000 root@zen.quick.com.au:/u3/NetBSD/1.4.X/src/sys/arch/i386/compile/ZEN i386
>Description:
Setenv(3), does not check for environ==NULL. If the realloc of environ fails
environ will be NULL and next call to setenv or unsetenv will segfault.
>How-To-Repeat:
>Fix:
The following may be a bit crude, but should do the trick.
Index: lib/libc/stdlib/setenv.c
===================================================================
RCS file: /cvsroot/basesrc/lib/libc/stdlib/setenv.c,v
retrieving revision 1.19
diff -u -p -r1.19 setenv.c
--- lib/libc/stdlib/setenv.c 2000/12/20 18:38:30 1.19
+++ lib/libc/stdlib/setenv.c 2001/03/09 21:31:49
@@ -85,6 +85,11 @@ setenv(name, value, rewrite)
++value;
l_value = strlen(value);
rwlock_wrlock(&__environ_lock);
+ if (environ == NULL) {
+ errno = ENOMEM;
+ rwlock_unlock(&__environ_lock);
+ return (-1);
+ }
/* find if already exists */
if ((c = __findenv(name, &offset)) != NULL) {
if (!rewrite) {
@@ -149,6 +154,13 @@ unsetenv(name)
_DIAGASSERT(name != NULL);
rwlock_wrlock(&__environ_lock);
+
+ if (environ == NULL) {
+ errno = ENOMEM;
+ rwlock_unlock(&__environ_lock);
+ return;
+ }
+
while (__findenv(name, &offset)) /* if set multiple times */
for (p = &environ[offset];; ++p)
if (!(*p = *(p + 1)))
>Release-Note:
>Audit-Trail:
>Unformatted: