[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bird-users
Subject:    Re: Vulnerability? Bug?  Missing check after xmalloc() in xstrdup().
From:       Maria_Matějka <maria.matejka () nic ! cz>
Date:       2020-04-27 6:18:55
Message-ID: F23B3BF5-F7C5-4E9A-B2B1-BBE6E87A9A11 () nic ! cz
[Download RAW message or body]

Hello!
xmalloc is guaranteed to return non-NULL. If it were to return NULL, BIRD would die \
instead. That's why it's xmalloc and not malloc. Maria


On April 27, 2020 5:26:58 AM GMT+02:00, liupeiyu@zju.edu.cn wrote:
> Hi,
> 
> In lib/string.h line 38,
> 
> static inline char * 
> xstrdup(const char *c) 
> { 
> size_t l = strlen(c) + 1;
> // xmalloc may fail, and z will be NULL. 
> char *z = xmalloc(l);
> // write to a NULL pointer, crash. 
> memcpy(z, c, l); 
> return z; 
> } 
> 
> I think this is a vulnerability, and maybe we can fix it as following:
> 
> static inline char * 
> xstrdup(const char *c) 
> { 
> size_t l = strlen(c) + 1;
> char *z = xmalloc(1);
> if(z)
> { 
> memcpy(z, c, l);
> return z;
> }
> else return -1; 
> }
> 
> Thanks for any consideration!
> 
> Peiyu Liu, 
> NESA lab, 
> Zhejiang University
> 
> 
> 
> --
> 
> -----原始邮件-----
> 发件人:liupeiyu@zju.edu.cn
> 发送时间:2020-04-27 10:06:41 (星期一)
> 收件人:bird-users@network.cz
> 抄送: 
> 主题:Vulnerability? Bug?  Missing check after xmalloc() in xstrdup().
> 
> Hi,
> 
> In lib/string.h line 38,
> 
> static inline char * 
> xstrdup(const char *c) 
> { size_t l = strlen(c) + 1;
> // xmalloc may fail, and z will be NULL. 
> char *z = xmalloc(l);
> // write to a NULL pointer, crash. 
> memcpy(z, c, l); 
> return z; 
> } 
> 
> I think this is a vulnerability, and maybe we can fix it as following:
> 
> 
> static inline char * 
> xstrdup(const char *c) 
> { 
> size_t l = strlen(c) + 1;
> char *z = xmalloc(1);
> if(z)
> { 
> memcpy(z, c, l);
> return z;
> }
> else return -1; 
> }
> 
> Thanks for any consideration!
> 
> Peiyu Liu, 
> NESA lab, 
> Zhejiang University

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.


[Attachment #3 (text/html)]

<html><head></head><body>Hello!<br>xmalloc is guaranteed to return non-NULL. If it \
were to return NULL, BIRD would die instead. That's why it's xmalloc and not \
malloc.<br>Maria<br><br><br><div class="gmail_quote">On April 27, 2020 5:26:58 AM \
GMT+02:00, liupeiyu@zju.edu.cn wrote:<blockquote class="gmail_quote" style="margin: \
0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> \
<pre class="k9mail">Hi,<br><br>In lib/string.h line 38,<br><br>static inline char * \
<br>xstrdup(const char *c) <br>{ <br>    size_t l = strlen(c) + 1;<br>    // xmalloc \
may fail, and z will be NULL. <br>    char *z = xmalloc(l);<br>    // write to a NULL \
pointer, crash. <br>    memcpy(z, c, l); <br>    return z; <br>} <br><br>I think this \
is a vulnerability, and maybe we can fix it as following:<br><br>static inline char * \
<br>xstrdup(const char *c) <br>{ <br>    size_t l = strlen(c) + 1;<br>    char *z = \
xmalloc(1);<br>    if(z)<br>    { <br>        memcpy(z, c, l);<br>        return \
z;<br>    }<br>    else return -1; <br>}<br><br>Thanks for any \
consideration!<br><br>Peiyu Liu, <br>NESA lab, <br>Zhejiang \
University<br><br><br><br>--<br><br>-----原始邮件-----<br>发件人:liupeiyu@zju.edu.cn<br>发送时间:2020-04-27 \
10:06:41 (星期一)<br>收件人:bird-users@network.cz<br>抄送: \
<br>主题:Vulnerability? Bug?  Missing check after xmalloc() in \
xstrdup().<br><br>Hi,<br><br>In lib/string.h line 38,<br><br>static inline char * \
<br>xstrdup(const char *c) <br>{ size_t l = strlen(c) + 1;<br>// xmalloc may fail, \
and z will be NULL. <br>char *z = xmalloc(l);<br>// write to a NULL pointer, crash. \
<br>memcpy(z, c, l); <br>return z; <br>} <br><br>I think this is a vulnerability, and \
maybe we can fix it as following:<br><br> <br>static inline char * <br>xstrdup(const \
char *c) <br>{ <br>size_t l = strlen(c) + 1;<br>char *z = xmalloc(1);<br>if(z)<br>{ \
<br>memcpy(z, c, l);<br>return z;<br>}<br>else return -1; <br>}<br><br>Thanks for any \
consideration!<br><br>Peiyu Liu, <br>NESA lab, <br>Zhejiang \
University<br><br><br><br></pre></blockquote></div><br>-- <br>Sent from my Android \
device with K-9 Mail. Please excuse my brevity.</body></html>



[prev in list] [next in list] [prev in thread] [next in thread]