Bug 41290 - at crashes when invoked with invalid environment variables
Summary: at crashes when invoked with invalid environment variables
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: at
Version: 7.1
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Crutcher Dunnavant
QA Contact: Aaron Brown
URL: http://cliph.linux.pl/at-3.1.8-nullen...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-05-18 14:54 UTC by Need Real Name
Modified: 2005-10-31 22:00 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2001-05-18 15:00:42 UTC
Embargoed:

Attachments (Terms of Use)
Simple fix. (489 bytes, patch)
2001-05-18 15:00 UTC, Need Real Name 		no flags Details | Diff
View All

Description Need Real Name 2001-05-18 14:54:46 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.19 i686)

Description of problem:
If you execute at with invalid environment array it crashes with SIGSEGV.
The problem occur only if environment array contains string without ,,=''
character (without value to the variable.

How reproducible:
Always

Steps to Reproduce:
1. Compile following program: 
int main() 
{
	char * envp[]={ "blah", NULL };
	execle("/usr/bin/at", "at", "now", NULL, envp); 
}
2. Execute it and look how /usr/bin/at crashes.


Actual Results:  at receives SIGSEGV and crashes because of improper
pointer setting


Expected Results:  It should not crash ;)

Additional info:

Tested on at-3.1.8-12 and at-3.1.8-16 (from rawhide) on RH 7.0.
Patch available at: http://cliph.linux.pl/at-3.1.8-nullenv.patch
It doesn't seem to be exploitable.
Comment 1 Need Real Name 2001-05-18 15:00:38 UTC 
Created attachment 18930 [details]
Simple fix.
Comment 2 Crutcher Dunnavant 2001-06-26 01:44:55 UTC 
ok
Note You need to log in before you can comment on or make changes to this bug.