From d222983eed2efddbd4a1380e23bc3f43edfc522e Mon Sep 17 00:00:00 2001
From: =?utf8?q?J=C3=A9r=C3=A9mie=20Galarneau?=
 <jeremie.galarneau@efficios.com>
Date: Fri, 1 Dec 2017 00:18:03 +0100
Subject: [PATCH] Fix: using putenv() and free()-ing the value is invalid
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

putenv() does not copy the string passed as the parameter. Hence,
free()-ing the string results in an invalid environment. In the
"good" case, we don't care since we execl().

However, on error, our process now has an invalid environment
which can cause breakage further down the line.

Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>
---
 src/bin/lttng-sessiond/main.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/src/bin/lttng-sessiond/main.c b/src/bin/lttng-sessiond/main.c
index 968fec84a..297db20ce 100644
--- a/src/bin/lttng-sessiond/main.c
+++ b/src/bin/lttng-sessiond/main.c
@@ -2450,20 +2450,18 @@ static pid_t spawn_consumerd(struct consumer_data *consumer_data)
 				if (!tmp) {
 					tmp = "";
 				}
-				tmplen = strlen("LD_LIBRARY_PATH=")
-					+ strlen(config.consumerd64_lib_dir.value) + 1 /* : */ + strlen(tmp);
+				tmplen = strlen(config.consumerd64_lib_dir.value) + 1 /* : */ + strlen(tmp);
 				tmpnew = zmalloc(tmplen + 1 /* \0 */);
 				if (!tmpnew) {
 					ret = -ENOMEM;
 					goto error;
 				}
-				strcpy(tmpnew, "LD_LIBRARY_PATH=");
 				strcat(tmpnew, config.consumerd64_lib_dir.value);
 				if (tmp[0] != '\0') {
 					strcat(tmpnew, ":");
 					strcat(tmpnew, tmp);
 				}
-				ret = putenv(tmpnew);
+				ret = setenv("LD_LIBRARY_PATH", tmpnew, 1);
 				if (ret) {
 					ret = -errno;
 					free(tmpnew);
@@ -2491,20 +2489,18 @@ static pid_t spawn_consumerd(struct consumer_data *consumer_data)
 				if (!tmp) {
 					tmp = "";
 				}
-				tmplen = strlen("LD_LIBRARY_PATH=")
-					+ strlen(config.consumerd32_lib_dir.value) + 1 /* : */ + strlen(tmp);
+				tmplen = strlen(config.consumerd32_lib_dir.value) + 1 /* : */ + strlen(tmp);
 				tmpnew = zmalloc(tmplen + 1 /* \0 */);
 				if (!tmpnew) {
 					ret = -ENOMEM;
 					goto error;
 				}
-				strcpy(tmpnew, "LD_LIBRARY_PATH=");
 				strcat(tmpnew, config.consumerd32_lib_dir.value);
 				if (tmp[0] != '\0') {
 					strcat(tmpnew, ":");
 					strcat(tmpnew, tmp);
 				}
-				ret = putenv(tmpnew);
+				ret = setenv("LD_LIBRARY_PATH", tmpnew, 1);
 				if (ret) {
 					ret = -errno;
 					free(tmpnew);
-- 
2.34.1