Date: Thu, 03 Dec 2009 21:13:39 +0200 From: Dmitry Pryanishnikov <lynx.ripe@gmail.com> To: Jamie Landeg Jones <jamie@bishopston.net> Cc: freebsd-security@freebsd.org, timo.schoeler@riscworks.net Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld Message-ID: <4B180DE3.9010304@gmail.com>
next in thread | raw e-mail | index | archive | help
> Just in case there is some other way of exploiting the fact that rtld.c didn't
> check whether unsetenv was successful (which I bet people are now looking for)
> I'd apply the patch to 6.3 and 6.4 also, just to be sure.
Well, they can search as long as they wish - _but_ there's just nothing to
search:
void
unsetenv(name)
const char *name;
{
extern char **environ;
char **p;
int offset;
while (__findenv(name, &offset)) /* if set multiple times */
for (p = &environ[offset];; ++p)
if (!(*p = *(p + 1)))
break;
}
So unsetenv in 6.* just won't return until __findenv(name) returns NULL - but
then __findenv() will return NULL next time in getenv(name). So we had robust,
consistent implementation in 6.* and before; now we haven't ;(
Sincerely, Dmitry
--
nic-hdl: LYNX-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B180DE3.9010304>