Date: Mon, 30 Apr 2007 21:05:38 +0400 From: Andrey Chernov <ache@freebsd.org> To: John Baldwin <jhb@freebsd.org> Cc: cvs-src@freebsd.org, src-committers@freebsd.org, cvs-all@freebsd.org Subject: Re: cvs commit: src/usr.sbin/sysinstall main.c Message-ID: <20070430170537.GA82681@nagual.pp.ru> In-Reply-To: <200704301254.45807.jhb@freebsd.org> References: <200704301516.l3UFGJbu019162@repoman.freebsd.org> <200704301229.21190.jhb@freebsd.org> <200704301254.45807.jhb@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Apr 30, 2007 at 12:54:45PM -0400, John Baldwin wrote:
> Hmm, I think I see that this is orthogonal to the setenv(3) fix, but still, if
> one does this:
>
> char *cp = strdup("FOO=bar");
> putenv(cp);
> ...
> setenv("FOO", "baz");
cp value is undefined right here and can't be safely printed afterwards.
Anything can happens at printf including core dump.
> ...
> setenv("FOO", "really_long_string");
> ...
> printf("FOO: %s\n", cp + 4);
>
> You are going to get 'baz' in the printf output. Or if one does:
>
> char *cp = strdup("FOO=bar");
> putenv(cp);
> ...
> setenv("FOO", "really_long_string");
Again, cp value is undefined right here and can't be safely printed
afterwards.
> ...
> strcpy(cp + 4, "baz");
> ...
> printf("FOO: %s\n", getenv("FOO"));
>
> You are going to get 'really_long_string' in the printf output, and not 'baz'.
--
http://ache.pp.ru/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070430170537.GA82681>