NetBSD Problem Report #49185

From www@NetBSD.org  Mon Sep  8 16:15:44 2014
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id EAA41B9189
	for <gnats-bugs@gnats.NetBSD.org>; Mon,  8 Sep 2014 16:15:43 +0000 (UTC)
Message-Id: <20140908161542.4455EB918C@mollari.NetBSD.org>
Date: Mon,  8 Sep 2014 16:15:42 +0000 (UTC)
From: conrad.meyer@isilon.com
Reply-To: conrad.meyer@isilon.com
To: gnats-bugs@NetBSD.org
Subject: strvisx: Handle zero-length input strings gracefully.
X-Send-Pr-Version: www-1.0

>Number:         49185
>Category:       lib
>Synopsis:       strvisx: Handle zero-length input strings gracefully.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Sep 08 16:20:00 +0000 2014
>Last-Modified:  Mon Sep 08 16:50:00 +0000 2014
>Originator:     Conrad Meyer
>Release:        FreeBSD CURRENT / NetBSD CVS HEAD
>Organization:
EMC / Isilon storage division
>Environment:
FreeBSD cemvbox9993 11.0-RELEASE FreeBSD 11.0-RELEASE amd64

>Description:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193447

The internal istrsenvisx() routine overloaded the zero length value as a
sentinel for "use strlen(3)." This is bad because the zero-length source string
has a defined behavior and the pointer for a zero-length string may be
completely bogus. Calling strlen(3) on a bogus pointer is bad.

Instead, use ssize_t for the input string length and use a #defined constant
MB_STRZ == (-1) as the sentinel for the nul-terminated strvis variants (strvis,
etc).

>How-To-Repeat:
Call strvisx() on a zero length input string.
>Fix:
See patch in comment 0 here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193447

>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/49185 CVS commit: src/lib/libc/gen
Date: Mon, 8 Sep 2014 12:42:10 -0400

 Module Name:	src
 Committed By:	christos
 Date:		Mon Sep  8 16:42:09 UTC 2014

 Modified Files:
 	src/lib/libc/gen: vis.c

 Log Message:
 PR/49185: Conrad Meyer: strvisx: Handle zero-length input strings gracefully.
 (don't abuse 0 to mean compute string length internally)


 To generate a diff of this commit:
 cvs rdiff -u -r1.60 -r1.61 src/lib/libc/gen/vis.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: Joerg Sonnenberger <joerg@britannica.bec.de>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: lib/49185: strvisx: Handle zero-length input strings gracefully.
Date: Mon, 8 Sep 2014 18:49:09 +0200

 On Mon, Sep 08, 2014 at 04:20:00PM +0000, conrad.meyer@isilon.com wrote:
 > The internal istrsenvisx() routine overloaded the zero length value as a
 > sentinel for "use strlen(3)." This is bad because the zero-length source string
 > has a defined behavior and the pointer for a zero-length string may be
 > completely bogus.

 At least the second half is wrong. A zero-length string still has to
 match the valid object rules. That said, I don't see why this behavior
 isn't provided under a flag.

 Joerg

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.