Blob Blame History Raw
From d6e771a1936f54ff1693d84625de57b199bd6c6f Mon Sep 17 00:00:00 2001
From: Martin Pitt <martin.pitt@ubuntu.com>
Date: Mon, 1 Jun 2015 11:32:39 +0200
Subject: [PATCH] sd-device: fix invalid property strv pointers

In device_update_properties_bufs(), the strv is built from pointers into the
single nul-terminated buf_nulstr string, to avoid allocating the key=value
strings twice. However, we must not do that while building and
GREEDY_REALLOC0()'ing buf_nulstr, as each time when this actually reallocates
memory the pointers we wrote into buf_strv so far become invalid.

So change the logic to first completely build the new buf_nulstr, and then
iterate over it to pick out the pointers to the individual key=value strings
for properties_strv.

This fixes invalid environment for udev callouts.

(cherry picked from commit d854ba50a82f28b776c670d27156f0e9881fde8a)
---
 src/libsystemd/sd-device/device-private.c | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/src/libsystemd/sd-device/device-private.c b/src/libsystemd/sd-device/device-private.c
index 10370af029..deb8efd05d 100644
--- a/src/libsystemd/sd-device/device-private.c
+++ b/src/libsystemd/sd-device/device-private.c
@@ -636,10 +636,9 @@ int device_new_from_nulstr(sd_device **ret, uint8_t *nulstr, size_t len) {
 
 static int device_update_properties_bufs(sd_device *device) {
         const char *val, *prop;
-        char **buf_strv = NULL;
         uint8_t *buf_nulstr = NULL;
-        size_t allocated_nulstr = 0, allocated_strv = 0;
-        size_t nulstr_len = 0, strv_size = 0;
+        size_t allocated_nulstr = 0;
+        size_t nulstr_len = 0, num = 0, i;
 
         assert(device);
 
@@ -655,20 +654,24 @@ static int device_update_properties_bufs(sd_device *device) {
                 if (!buf_nulstr)
                         return -ENOMEM;
 
-                buf_strv = GREEDY_REALLOC0(buf_strv, allocated_strv, strv_size + 2);
-                if (!buf_strv)
-                        return -ENOMEM;
-
-                buf_strv[strv_size ++] = (char *)&buf_nulstr[nulstr_len];
                 strscpyl((char *)buf_nulstr + nulstr_len, len + 1, prop, "=", val, NULL);
                 nulstr_len += len + 1;
+                ++num;
         }
 
         free(device->properties_nulstr);
-        free(device->properties_strv);
         device->properties_nulstr = buf_nulstr;
         device->properties_nulstr_len = nulstr_len;
-        device->properties_strv = buf_strv;
+
+        /* build strv from buf_nulstr */
+        free(device->properties_strv);
+        device->properties_strv = new0(char *, num + 1);
+        i = 0;
+        NULSTR_FOREACH(val, (char*) buf_nulstr) {
+                device->properties_strv[i] = (char *) val;
+                assert(i < num);
+                i++;
+        }
 
         device->properties_buf_outdated = false;