[PATCH] var: ensure variables are fully initialised when unset

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

When a variable is unset by calling setvar(name, 0, 0) the code
to initialise the new, empty variable omits the trailing '='.

Attempts to read the contents of the unset variable will result
in the uninitialised character at the end of the string being
accessed.

For example, running dash under Valgrind and unsetting PATH:

  $ valgrind ./src/dash
  ==9117== Memcheck, a memory error detector
  ==9117== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
  ==9117== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
  ==9117== Command: ./src/dash
  ==9117==
  $ unset PATH
  ==9117== Conditional jump or move depends on uninitialised value(s)
  ==9117==    at 0x40642C: changepath (exec.c:578)
  ==9117==    by 0x411EEB: setvareq (var.c:269)
  ==9117==    by 0x41201B: setvar (var.c:215)
  ==9117==    by 0x4128D4: unsetvar (var.c:628)

This issue was reported for BusyBox ash:

   https://bugs.busybox.net/show_bug.cgi?id=8721

Signed-off-by: Ron Yorston <rmy@xxxxxxxxx>
---
 src/var.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/var.c b/src/var.c
index 0d7e1db..d4d8bd2 100644
--- a/src/var.c
+++ b/src/var.c
@@ -207,8 +207,8 @@ struct var *setvar(const char *name, const char *val, int flags)
 	}
 	INTOFF;
 	p = mempcpy(nameeq = ckmalloc(namelen + vallen + 2), name, namelen);
+	*p++ = '=';
 	if (val) {
-		*p++ = '=';
 		p = mempcpy(p, val, vallen);
 	}
 	*p = '\0';
-- 
2.19.1
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux