Fix use-after-free of pointer after realloc(3)
We can't use a pointer that was input to realloc(3), nor any pointers that point to reallocated memory, without making sure that the memory wasn't moved. If we do, the Behavior is Undefined. Signed-off-by: Alejandro Colomar <alx@kernel.org>
This commit is contained in:
Alejandro Colomar
committed by
Serge Hallyn
Serge Hallyn
parent
efbbcade43
commit
7668f77439
@@ -128,12 +128,14 @@ void addenv (const char *string, /*@null@*/const char *value)
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
if ((newenvc & (NEWENVP_STEP - 1)) == 0) {
|
if ((newenvc & (NEWENVP_STEP - 1)) == 0) {
|
||||||
char **__newenvp;
|
bool update_environ;
|
||||||
|
char **__newenvp;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* If the resize operation succeeds we can
|
* If the resize operation succeeds we can
|
||||||
* happily go on, else print a message.
|
* happily go on, else print a message.
|
||||||
*/
|
*/
|
||||||
|
update_environ = (environ == newenvp);
|
||||||
|
|
||||||
__newenvp = REALLOCARRAY(newenvp, newenvc + NEWENVP_STEP, char *);
|
__newenvp = REALLOCARRAY(newenvp, newenvc + NEWENVP_STEP, char *);
|
||||||
|
|
||||||
@@ -143,9 +145,8 @@ void addenv (const char *string, /*@null@*/const char *value)
|
|||||||
* environ so that it doesn't point to some
|
* environ so that it doesn't point to some
|
||||||
* free memory area (realloc() could move it).
|
* free memory area (realloc() could move it).
|
||||||
*/
|
*/
|
||||||
if (environ == newenvp) {
|
if (update_environ)
|
||||||
environ = __newenvp;
|
environ = __newenvp;
|
||||||
}
|
|
||||||
newenvp = __newenvp;
|
newenvp = __newenvp;
|
||||||
} else {
|
} else {
|
||||||
(void) fputs (_("Environment overflow\n"), log_get_logfd());
|
(void) fputs (_("Environment overflow\n"), log_get_logfd());
|
||||||
|
|||||||
Reference in New Issue
Block a user