Re: simple kde exploit fix

[thospel () mail dma be (Ton Hospel)]

In article <Pine.LNX.3.96.980518103111.11608A-100000 () digi1 inreach net>,
        digi <digi () inreach net> writes:
> why not:
>
>    char *env;
>    env = getenv("HOME");
>    if(env)
>       env[BUFLEN] = '\0';
>    else
>       do_something_intelligent();
>
> would save memcpy()ing and strlen()ing.

Dangerous unless you know very well where your env buffer
really comes from (and goes to)

- I have seen C implementation where all getenv's use copying into one
  static buffer -> another getenv() somewhere in the program
  might unexpectedly change your env
- I have seen C implementations where these are pointers
  into a env space -> then you really hit the data (next getenv
  might be surprised), or you might even be modifying a different
  environment variable

For getenv it's usually best to copy the value from out of the result,
before some other getenv or putenv changes it.
--
My pid is Inigo Montoya.  You kill -9 my parent process.  Prepare to vi.