NetBSD Problem Report #49185
From www@NetBSD.org Mon Sep 8 16:15:44 2014
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id EAA41B9189
for <gnats-bugs@gnats.NetBSD.org>; Mon, 8 Sep 2014 16:15:43 +0000 (UTC)
Message-Id: <20140908161542.4455EB918C@mollari.NetBSD.org>
Date: Mon, 8 Sep 2014 16:15:42 +0000 (UTC)
From: conrad.meyer@isilon.com
Reply-To: conrad.meyer@isilon.com
To: gnats-bugs@NetBSD.org
Subject: strvisx: Handle zero-length input strings gracefully.
X-Send-Pr-Version: www-1.0
>Number: 49185
>Category: lib
>Synopsis: strvisx: Handle zero-length input strings gracefully.
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: lib-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Sep 08 16:20:00 +0000 2014
>Last-Modified: Mon Sep 08 16:50:00 +0000 2014
>Originator: Conrad Meyer
>Release: FreeBSD CURRENT / NetBSD CVS HEAD
>Organization:
EMC / Isilon storage division
>Environment:
FreeBSD cemvbox9993 11.0-RELEASE FreeBSD 11.0-RELEASE amd64
>Description:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193447
The internal istrsenvisx() routine overloaded the zero length value as a
sentinel for "use strlen(3)." This is bad because the zero-length source string
has a defined behavior and the pointer for a zero-length string may be
completely bogus. Calling strlen(3) on a bogus pointer is bad.
Instead, use ssize_t for the input string length and use a #defined constant
MB_STRZ == (-1) as the sentinel for the nul-terminated strvis variants (strvis,
etc).
>How-To-Repeat:
Call strvisx() on a zero length input string.
>Fix:
See patch in comment 0 here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193447
>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/49185 CVS commit: src/lib/libc/gen
Date: Mon, 8 Sep 2014 12:42:10 -0400
Module Name: src
Committed By: christos
Date: Mon Sep 8 16:42:09 UTC 2014
Modified Files:
src/lib/libc/gen: vis.c
Log Message:
PR/49185: Conrad Meyer: strvisx: Handle zero-length input strings gracefully.
(don't abuse 0 to mean compute string length internally)
To generate a diff of this commit:
cvs rdiff -u -r1.60 -r1.61 src/lib/libc/gen/vis.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Joerg Sonnenberger <joerg@britannica.bec.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: lib/49185: strvisx: Handle zero-length input strings gracefully.
Date: Mon, 8 Sep 2014 18:49:09 +0200
On Mon, Sep 08, 2014 at 04:20:00PM +0000, conrad.meyer@isilon.com wrote:
> The internal istrsenvisx() routine overloaded the zero length value as a
> sentinel for "use strlen(3)." This is bad because the zero-length source string
> has a defined behavior and the pointer for a zero-length string may be
> completely bogus.
At least the second half is wrong. A zero-length string still has to
match the valid object rules. That said, I don't see why this behavior
isn't provided under a flag.
Joerg
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.