This only manifests in exceptional circumstances when the variables exceed
the buffer size. It can be reproduced as follows:
[kill existing udevd and udevadm]
valgrind -q ./udevd & sleep 1
LONG=`dd if=/dev/zero bs=1 count=500 | tr '\0' 'A'` # 500 character string
for VAR in a b c d; do
./udevadm control --env $VAR=$LONG
done
./udevadm monitor -e > /dev/null &
./udevadm trigger
[wait a few seconds]
==17942== Syscall param socketcall.sendto(msg) points to uninitialised byte(s)
==17942== at 0x511BBC3: __sendto_nocancel (in /usr/lib/debug/libc-2.7.so)
==17942== by 0x407B72: pass_env_to_socket (udev_rules.c:500)
==17942== by 0x407C7F: udev_rules_run (udev_rules.c:517)
==17942== by 0x410DDB: udev_event_process (udevd.c:145)
==17942== by 0x411217: udev_event_run (udevd.c:251)
==17942== by 0x411E78: msg_queue_manager (udevd.c:581)
==17942== by 0x413C10: main (udevd.c:1282)
==17942== Address 0x7fefff0af is on thread 1's stack
...
kill %1 %2
[restart normal udevd]
diff --git a/udev/udev_rules.c b/udev/udev_rules.c
index f372a61..9ed4d62 100644
--- a/udev/udev_rules.c
+++ b/udev/udev_rules.c
@@ -490,8 +490,8 @@ static int pass_env_to_socket(const char *sockpath, const char *devpath, const c
bufpos = snprintf(buf, sizeof(buf)-1, "%s@%s", action, devpath);
bufpos++;
- for (i = 0; environ[i] != NULL && bufpos < (sizeof(buf)-1); i++) {
- bufpos += strlcpy(&buf[bufpos], environ[i], sizeof(buf) - bufpos-1);
+ for (i = 0; environ[i] != NULL && bufpos < sizeof(buf); i++) {
+ bufpos += strlcpy(&buf[bufpos], environ[i], sizeof(buf) - bufpos);
bufpos++;
}
if (bufpos > sizeof(buf))
--
To unsubscribe from this list: send the line "unsubscribe linux-hotplug" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
