| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Zw+uxLIklMHSSxTu@1wt.eu>
Date: Wed, 16 Oct 2024 14:17:08 +0200
From: Willy Tarreau <w@....eu>
To: Thomas Weißschuh <thomas.weissschuh@...utronix.de>
Cc: Thomas Weißschuh <linux@...ssschuh.net>,
"Paul E. McKenney" <paulmck@...nel.org>, linux-kernel@...r.kernel.org,
stable@...r.kernel.org
Subject: Re: [PATCH] tools/nolibc/stdlib: fix getenv() with empty environment
Hi Thomas!
On Wed, Oct 16, 2024 at 01:14:51PM +0200, Thomas Weißschuh wrote:
> The environ pointer itself is never NULL, this is guaranteed by crt.h.
> However if the environment is empty, environ will point to a NULL
> pointer.
Good point, however from what I'm seeing on glibc, if the user sets
environ to NULL, getenv() safely reports NULL and doesn't crash. I
don't know what the spec says about environ being NULL, though. I
just tested on freebsd to compare and also get a NULL in this case
as well. So I'd be tempted by keeping the check.
> int idx, i;
>
> - if (environ) {
> + if (*environ) {
> for (idx = 0; environ[idx]; idx++) {
> for (i = 0; name[i] && name[i] == environ[idx][i];)
> i++;
However as a quick note, if we decide we don't care about environ being
NULL, and since this is essentially a cleanup, why not even get rid of
the whole "if" condition, since the loop takes care of it ?
FWIW I tested glibc with this:
#include <stdlib.h>
int main(int argc, char **argv)
{
extern char **environ;
environ=NULL;
return getenv("HOME") == NULL;
}
Cheers,
Willy
Powered by blists - more mailing lists