Curt Sampson <cjs@cynic.net> writes:

> On Thu, 6 Apr 2006, Hubert Feyrer wrote:
>
>> I think this only happens if argc isn't consistent with
>> argv[]. Looking at the execl() etc. prototypes, it seems that
>> "something" is calculating argc automatically, and that an
>> inconsistent argc can't be passed in malliciously at least...
>
> If execve doesn't carefully check its arguments, you could pass it an
> argv consisting of ["foo", NULL, "bar"], and that would do it.

It can't possibly; there's no other way the length is passed into
execve(), so all it can see is that there's one element followed by a
NULL, and it will have to set argc to 1.

-- 
(let ((C call-with-current-continuation)) (apply (lambda (x y) (x y)) (map
((lambda (r) ((C C) (lambda (s) (r (lambda l (apply (s s) l))))))  (lambda
(f) (lambda (l) (if (null? l) C (lambda (k) (display (car l)) ((f (cdr l))
(C k)))))))    '((#\J #\d #\D #\v #\s) (#\e #\space #\a #\i #\newline)))))