From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/9511
Path: news.gmane.org!not-for-mail
From: Alexander Monakov <amonakov@ispras.ru>
Newsgroups: gmane.linux.lib.musl.general
Subject: [PATCH] env: avoid leaving dangling pointers in __env_map
Date: Sun,  6 Mar 2016 20:22:38 +0300
Message-ID: <1457284958-12429-1-git-send-email-amonakov@ispras.ru>
Reply-To: musl@lists.openwall.com
NNTP-Posting-Host: plane.gmane.org
X-Trace: ger.gmane.org 1457284987 23141 80.91.229.3 (6 Mar 2016 17:23:07 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sun, 6 Mar 2016 17:23:07 +0000 (UTC)
Cc: Alexander Monakov <amonakov@ispras.ru>
To: musl@lists.openwall.com
Original-X-From: musl-return-9524-gllmg-musl=m.gmane.org@lists.openwall.com Sun Mar 06 18:23:07 2016
Return-path: <musl-return-9524-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@m.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by plane.gmane.org with smtp (Exim 4.69)
	(envelope-from <musl-return-9524-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1accOS-0008Ph-Uj
	for gllmg-musl@m.gmane.org; Sun, 06 Mar 2016 18:23:01 +0100
Original-Received: (qmail 26619 invoked by uid 550); 6 Mar 2016 17:22:59 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
List-ID: <musl.lists.openwall.com>
Original-Received: (qmail 26573 invoked from network); 6 Mar 2016 17:22:55 -0000
X-Mailer: git-send-email 2.1.3
Xref: news.gmane.org gmane.linux.lib.musl.general:9511
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/9511>

This is the minimal fix for __putenv leaving a pointer to freed heap
storage in __env_map array, which could later on lead to errors such
as double-free.
---
This was discovered by code inspection after Rich asked me to develop
testcases for another environment-related patch in a recent thread.
There's another known issue due to logic errors in surrounding code
(a memory leak due to putenv never freeing storage allocated by preceding
setenv), but that is planned to be addressed with a patch overhauling the
implementation.

Thanks.
Alexander

 src/env/putenv.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/env/putenv.c b/src/env/putenv.c
index 4042869..7153042 100644
--- a/src/env/putenv.c
+++ b/src/env/putenv.c
@@ -30,6 +30,7 @@ int __putenv(char *s, int a)
 				}
 			} else {
 				free(__env_map[j]);
+				__env_map[j] = s;
 			}
 		}
 	}
-- 
2.1.3