AuroraMiddleware/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2024-11-08 14:20:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

setenv fix memory leak when setting large, duplicate string (BZ #17658)

Browse Source 
glibc maintains a binary tree of environment strings it malloc()ed
itself.  However, it's possible for it to malloc() a string, then find
that an identical string is already in the tree.  In this case, the
memory is leaked and is not freed if the application later calls
__libc_freeres().  Fix this by freeing 'new_value' when it's unneeded.

Test case:
	#include <stdlib.h>
	#include <string.h>

	int main()
	{
		char *p = calloc(100000, 1);
		memset(p, 'A', 99999);
		setenv("TESTVAR", p, 1);
		setenv("TESTVAR", p, 1);
		free(p);
	}

Leak that was reported by valgrind:
	100,008 bytes in 1 blocks are definitely lost in loss record 1 of 1
	   at 0x4C29F90: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
	   by 0x4E6B3D4: __add_to_environ (setenv.c:176)
	   by 0x4C31B8F: setenv (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
	   by 0x400642: main (in /mnt/tmpfs/a.out)
This commit is contained in:
Eric Biggers 2015-01-07 12:10:52 +05:30 committed by Siddhesh Poyarekar
parent fb87ee96d7
commit d5b1c5ed8b
3 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ChangeLog
View File

@ -1,3 +1,9 @@
2015-01-07 Eric Biggers <ebiggers3@gmail.com>
[BZ #17658]
* stdlib/setenv.c: Fix memory leak when setting large,
duplicate string.
2015-01-06 Vladimir A. Nazarenko <naszar@ya.ru>
. [BZ #17273]

8
NEWS
View File

@ -14,10 +14,10 @@ Version 2.21
17273, 17344, 17363, 17370, 17371, 17411, 17460, 17475, 17485, 17501,
17506, 17508, 17522, 17555, 17570, 17571, 17572, 17573, 17574, 17581,
17582, 17583, 17584, 17585, 17589, 17594, 17601, 17608, 17616, 17625,
17630, 17633, 17634, 17635, 17647, 17653, 17657, 17664, 17665, 17668,
17682, 17717, 17719, 17722, 17723, 17724, 17725, 17732, 17733, 17744,
17745, 17746, 17747, 17775, 17777, 17780, 17781, 17782, 17793, 17796,
17797, 17806
17630, 17633, 17634, 17635, 17647, 17653, 17657, 17658, 17664, 17665,
17668, 17682, 17717, 17719, 17722, 17723, 17724, 17725, 17732, 17733,
17744, 17745, 17746, 17747, 17775, 17777, 17780, 17781, 17782, 17793,
17796, 17797, 17806
* i386 memcpy functions optimized with SSE2 unaligned load/store.

7
stdlib/setenv.c
View File

@ -217,6 +217,13 @@ __add_to_environ (name, value, combined, replace)
/* And remember the value. */
STORE_VALUE (np);
}
#ifdef USE_TSEARCH
else
{
if (__glibc_unlikely (! use_alloca))
free (new_value);
}
#endif
}
*ep = np;