Bugzilla – Bug 155246
The execvp() routine in glibc calls free() with an invalid pointer in unusual circumstances
Last modified: 2006-03-05 06:35:11 UTC
The execvp() routine sometimes allocates some space and fills it with PATH information from the confstr() library call. size_t len = confstr (_CS_PATH, (char *) NULL, 0); path = (char *) malloc (1 + len); ... It iteratively uses this allocated area to locate colon-separated directory paths. If all attempts to exec the filename fail (using the directory paths as prefixes), it frees the path variable at the end of the routine. But, the value passed to the free() call is not the original value allocated -- path is modified in the loop. Here is a simple diff listing of the original execvp.c file and a corrected file. The execvp.c file came from the following RPM: glibc-2.3.5-40.src.rpm which was retrieved from a Novell FTP site. 91a92 > char * path_buffer = NULL; 98c99 < path = (char *) malloc (1 + len); --- > path = path_buffer = (char *) malloc (1 + len); 112c113 < free (path); --- > free (path_buffer); 194c195 < free (path); --- > free (path_buffer);
This bug is only confusing, I don't know about what you are diffing, but 10.0 does not have this problem.
Created attachment 71266 [details] posix/execvp.c from glibc-2.3.5-40.src.rpm
I'm sorry if I was not clear. The installation containing the problem *is* Suse 10. > cat /etc/SuSE-release SUSE LINUX 10.0 (X86-64) VERSION = 10.0 The version of glibc which contains the execvp() routine is: > rpm -q glibc glibc-2.3.5-40 The file I "diff"ed is execvp.c from the source rpm glibc-2.3.5-40.src.rpm obtained from an Novel ftp server. I have attached the execvp.c file from that RPM.
glibc-2.3.5-40.src.rpm is the glibc from SUSE Linux 10.0.