Bug 41290

Summary: at crashes when invoked with invalid environment variables
Product: [Retired] Red Hat Linux Reporter: Need Real Name <wp>
Component: atAssignee: Crutcher Dunnavant <crutcher>
Status: CLOSED RAWHIDE QA Contact: Aaron Brown <abrown>
Severity: low Docs Contact:
Priority: low    
Version: 7.1   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://cliph.linux.pl/at-3.1.8-nullenv.patch
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-05-18 15:00:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Description Flags
Simple fix. none

Description Need Real Name 2001-05-18 14:54:46 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.19 i686)

Description of problem:
If you execute at with invalid environment array it crashes with SIGSEGV.
The problem occur only if environment array contains string without ,,=''
character (without value to the variable.

How reproducible:

Steps to Reproduce:
1. Compile following program: 
int main() 
	char * envp[]={ "blah", NULL };
	execle("/usr/bin/at", "at", "now", NULL, envp); 
2. Execute it and look how /usr/bin/at crashes.

Actual Results:  at receives SIGSEGV and crashes because of improper
pointer setting

Expected Results:  It should not crash ;)

Additional info:

Tested on at-3.1.8-12 and at-3.1.8-16 (from rawhide) on RH 7.0.
Patch available at: http://cliph.linux.pl/at-3.1.8-nullenv.patch
It doesn't seem to be exploitable.

Comment 1 Need Real Name 2001-05-18 15:00:38 UTC
Created attachment 18930 [details]
Simple fix.

Comment 2 Crutcher Dunnavant 2001-06-26 01:44:55 UTC