[prev in list] [next in list] [prev in thread] [next in thread]
List: bird-users
Subject: Re: Vulnerability? Bug? Missing check after xmalloc() in xstrdup().
From: Maria_Matějka <maria.matejka () nic ! cz>
Date: 2020-04-27 6:18:55
Message-ID: F23B3BF5-F7C5-4E9A-B2B1-BBE6E87A9A11 () nic ! cz
[Download RAW message or body]
Hello!
xmalloc is guaranteed to return non-NULL. If it were to return NULL, BIRD would die \
instead. That's why it's xmalloc and not malloc. Maria
On April 27, 2020 5:26:58 AM GMT+02:00, liupeiyu@zju.edu.cn wrote:
> Hi,
>
> In lib/string.h line 38,
>
> static inline char *
> xstrdup(const char *c)
> {
> size_t l = strlen(c) + 1;
> // xmalloc may fail, and z will be NULL.
> char *z = xmalloc(l);
> // write to a NULL pointer, crash.
> memcpy(z, c, l);
> return z;
> }
>
> I think this is a vulnerability, and maybe we can fix it as following:
>
> static inline char *
> xstrdup(const char *c)
> {
> size_t l = strlen(c) + 1;
> char *z = xmalloc(1);
> if(z)
> {
> memcpy(z, c, l);
> return z;
> }
> else return -1;
> }
>
> Thanks for any consideration!
>
> Peiyu Liu,
> NESA lab,
> Zhejiang University
>
>
>
> --
>
> -----原始邮件-----
> 发件人:liupeiyu@zju.edu.cn
> 发送时间:2020-04-27 10:06:41 (星期一)
> 收件人:bird-users@network.cz
> 抄送:
> 主题:Vulnerability? Bug? Missing check after xmalloc() in xstrdup().
>
> Hi,
>
> In lib/string.h line 38,
>
> static inline char *
> xstrdup(const char *c)
> { size_t l = strlen(c) + 1;
> // xmalloc may fail, and z will be NULL.
> char *z = xmalloc(l);
> // write to a NULL pointer, crash.
> memcpy(z, c, l);
> return z;
> }
>
> I think this is a vulnerability, and maybe we can fix it as following:
>
>
> static inline char *
> xstrdup(const char *c)
> {
> size_t l = strlen(c) + 1;
> char *z = xmalloc(1);
> if(z)
> {
> memcpy(z, c, l);
> return z;
> }
> else return -1;
> }
>
> Thanks for any consideration!
>
> Peiyu Liu,
> NESA lab,
> Zhejiang University
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
[Attachment #3 (text/html)]
<html><head></head><body>Hello!<br>xmalloc is guaranteed to return non-NULL. If it \
were to return NULL, BIRD would die instead. That's why it's xmalloc and not \
malloc.<br>Maria<br><br><br><div class="gmail_quote">On April 27, 2020 5:26:58 AM \
GMT+02:00, liupeiyu@zju.edu.cn wrote:<blockquote class="gmail_quote" style="margin: \
0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> \
<pre class="k9mail">Hi,<br><br>In lib/string.h line 38,<br><br>static inline char * \
<br>xstrdup(const char *c) <br>{ <br> size_t l = strlen(c) + 1;<br> // xmalloc \
may fail, and z will be NULL. <br> char *z = xmalloc(l);<br> // write to a NULL \
pointer, crash. <br> memcpy(z, c, l); <br> return z; <br>} <br><br>I think this \
is a vulnerability, and maybe we can fix it as following:<br><br>static inline char * \
<br>xstrdup(const char *c) <br>{ <br> size_t l = strlen(c) + 1;<br> char *z = \
xmalloc(1);<br> if(z)<br> { <br> memcpy(z, c, l);<br> return \
z;<br> }<br> else return -1; <br>}<br><br>Thanks for any \
consideration!<br><br>Peiyu Liu, <br>NESA lab, <br>Zhejiang \
University<br><br><br><br>--<br><br>-----原始邮件-----<br>发件人:liupeiyu@zju.edu.cn<br>发送时间:2020-04-27 \
10:06:41 (星期一)<br>收件人:bird-users@network.cz<br>抄送: \
<br>主题:Vulnerability? Bug? Missing check after xmalloc() in \
xstrdup().<br><br>Hi,<br><br>In lib/string.h line 38,<br><br>static inline char * \
<br>xstrdup(const char *c) <br>{ size_t l = strlen(c) + 1;<br>// xmalloc may fail, \
and z will be NULL. <br>char *z = xmalloc(l);<br>// write to a NULL pointer, crash. \
<br>memcpy(z, c, l); <br>return z; <br>} <br><br>I think this is a vulnerability, and \
maybe we can fix it as following:<br><br> <br>static inline char * <br>xstrdup(const \
char *c) <br>{ <br>size_t l = strlen(c) + 1;<br>char *z = xmalloc(1);<br>if(z)<br>{ \
<br>memcpy(z, c, l);<br>return z;<br>}<br>else return -1; <br>}<br><br>Thanks for any \
consideration!<br><br>Peiyu Liu, <br>NESA lab, <br>Zhejiang \
University<br><br><br><br></pre></blockquote></div><br>-- <br>Sent from my Android \
device with K-9 Mail. Please excuse my brevity.</body></html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic