> On Tue, Jan 14, 2003 at 03:28:23PM -0500, Richard B. Johnson wrote:
> > On Tue, 14 Jan 2003, Mark Mielke wrote:
> > > On Tue, Jan 14, 2003 at 02:56:35PM -0500, Richard B. Johnson wrote:
> > > > Well I just grepped through usr/include/bits/posix1_lim.h and it
> > > > shows 255 (with this 'C' library) so you are probably right.
> > > > In any event, a "whole line of text" isn't going to overrun it.
> > > Looking at the code, it looks to me as if argv[0] can be any size up to
> > > _SC_ARG_MAX, with the restraining factor being that the environment
> > > variables and the other arguments must fit in the same space.
> > > Is this not correct?
> > Don't think so. In my headers _SC_ARG_MAX is an enumerated type
> > that is numerically equal to 0. It's in confname.h, the first
> > element in the enumerated list.
>
> _SC_ARG_MAX is one of the identifiers that are used with sysconf() to
> lookup a system-wide configuration value:
>
> $ perl -MPOSIX -e 'print sysconf(_SC_ARG_MAX), "\n"'
> 131072
>
> The environment size for a program invoked using exec() can be up to
> 131072 bytes long (my configuration). This environment holds the
> command arguments as well as the environment.
>
> On my system, _SC_ARG_MAX is telling me that it is possible to have
> argv[0] be just under 131072 bytes long.
>
> mark
>
The following program shows why it's not "safe" to do anything
with argv[0].
#include <stdio.h>
int main(int c, char *argv[], char *env[])
{
int i;
i = 0;
printf("Stack is at %p\n", &i);
while(argv[i])
{
printf("Pointer at %p = %s\n", argv[i], argv[i]);
i++;
}
i = 0;
while(env[i])
{
printf("Pointer at %p = %s\n", env[i], env[i]);
i++;
}
return 0;
}
Everything is lined-up, sitting on the stack, and all variable-
length.
I looked at sendmail and it just does:
strcpy(argv[0] ,"sendmail:accepting connections");
But sendmail doesn't use the environment so if it gets trashed
it doesn't make any difference. It looks as though, if the
environment was small, i.e., only "TERM=vt100", sendmail might
have problems if main() ever returns to _start. The stack
will be trashed. But, most 'C' code doesn't do "return N;" from
main, certainly not a daemon, most call exit().
Anyway, overwriting argv[0] is done, but it's not "safe".
Cheers,
Dick Johnson
Penguin : Linux version 2.4.18 on an i686 machine (797.90 BogoMips).
Why is the government concerned about the lunatic fringe? Think about it.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/