[BusyBox 0000980]: patch to avoid "broadcast +" syntax
Rich Felker
dalias at aerifal.cx
Wed Nov 29 01:53:16 PST 2006
On Tue, Nov 28, 2006 at 03:02:26PM -0500, Rob Landley wrote:
> On Tuesday 28 November 2006 1:49 pm, Roberto A. Foglietta wrote:
> > Some people use argv[argc+1] and I am wondering if argv is a special
> > vector which is a static sized or segfaults just does not happen
> > because +1 is not enought to get out the boundaries:
>
> Assuming you don't mind stomping envp, sure.
>
> Did you check your environment variable list to make sure that wasn't changed
> by writing to argv[argc+1]? I believe the layout of this memory is
> determined by the kernel when it does an exec, and that the initial
> environment space starts right after the argument list. But maybe there's
> some padding in there, I haven't looked...
>
> And of course this is on Linux 2.6, haven't tried on older kernels or on MacOS
> X...
I think ELF ABI stores the original 'environ' pointer immediately
after the argument list, and since it's already been copied to extern
char **environ and envp, the copy on the stack is no longer needed and
it doesn't matter if you clobber it. On the other hand, most a.out
ABIs (altho they seem to differ in odd and subtle ways) store argc,
argv, and envp right at the stack pointer such that they're ready for
an immediate jump into main, without the need for special setup code
in userspace. On such a system, clobbering argv[argc+1] would probably
damage either the argv strings' contents or environment space, unless
the kernel inserted padding..
Rich
More information about the busybox
mailing list