From 1303a4a4517260def862ce7fe97e6b28dd8005e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Mon, 11 May 2015 22:21:31 +0200 Subject: daemon: Fix possible use-after-free. This is essentially a backport of by Eelco Dolstra . The use-after-free bug would typically manifest when building with GCC 5.1. --- nix/libutil/util.cc | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) (limited to 'nix/libutil/util.cc') diff --git a/nix/libutil/util.cc b/nix/libutil/util.cc index 846674a29d..024cea83d1 100644 --- a/nix/libutil/util.cc +++ b/nix/libutil/util.cc @@ -852,16 +852,20 @@ void killUser(uid_t uid) ////////////////////////////////////////////////////////////////////// +std::vector stringsToCharPtrs(const Strings & ss) +{ + std::vector res; + foreach (Strings::const_iterator, i, ss) + res.push_back(i->c_str()); + res.push_back(0); + return res; +} + + string runProgram(Path program, bool searchPath, const Strings & args) { checkInterrupt(); - std::vector cargs; /* careful with c_str()! */ - cargs.push_back(program.c_str()); - for (Strings::const_iterator i = args.begin(); i != args.end(); ++i) - cargs.push_back(i->c_str()); - cargs.push_back(0); - /* Create a pipe. */ Pipe pipe; pipe.create(); @@ -880,6 +884,10 @@ string runProgram(Path program, bool searchPath, const Strings & args) if (dup2(pipe.writeSide, STDOUT_FILENO) == -1) throw SysError("dupping stdout"); + Strings args_(args); + args_.push_front(program); + auto cargs = stringsToCharPtrs(args_); + if (searchPath) execvp(program.c_str(), (char * *) &cargs[0]); else -- cgit v1.2.3