[4158] in bugtraq
Re: xterm segfaults from environment variables - too obvious
daemon@ATHENA.MIT.EDU (David Luyer)
Wed Mar 12 00:53:59 1997
Date: Wed, 12 Mar 1997 13:10:15 +0800
Reply-To: David Luyer <luyer@UCS.UWA.EDU.AU>
From: David Luyer <luyer@UCS.UWA.EDU.AU>
X-To: Alex Belits <abelits@PHOBOS.ILLTEL.DENVER.CO.US>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.95.970311135228.6913A-100000@phobos.illtel.denver.co.us>
On Tue, 11 Mar 1997, Alex Belits wrote:
> After some looking at the code I think, I've found the real cause of
>coredumps. getenv in getenv2.so returns always the same static buffer
>while real getenv returns pointers to actual environment. xterm crashes
>with getenv2.so compiled from given source but doesn't crash if static
>keyword is removed thus causing "environment values" to be malloc'ed every
>time.
You are COMPLETELY wrong here. xterm crashes on this system by putting
60,000 characters into the relevant environment variables as found by the
script, I have tested this. Think about your code mod - removing static
from the various means !big_string_buf is always defined and there is
never an attempt to overflow a variable!!!
Please, have a clue and don't accuse perfect working code of not working
and change it with complete disregard for the algorithm.
static char *big_string_buf = 0;
^^^^^^ this is static
if(!big_string_buf) {
^^^^^^^^^^^^^^^^^^^^^ so this only happens once
if(!(big_string_buf = (char *)malloc(70000))) {
big_string_buf = "mallocfailed";
printf("Failed to malloc test string buffer.\n");
} else {
for(i=0;i<70000/4;i++)
memcpy(big_string_buf+i*4, "f00l", 4);
big_string_buf[70000] = '\0';
}
for (ep = __environ; *ep != 0; ++ep)
if (!strncmp(*ep, "ENV_TEST_VAR=", 13))
i = atoi(&(*ep)[13]);
^^^^^^^^^^^^^^^^^^^^^^^^^ otherwise this gets reset each cycle
}
David.
