kern/93093: xdr_string might call strlen(3) on NULL
Jan Stary
hans at stare.cz
Thu Feb 9 06:10:02 PST 2006
>Number: 93093
>Category: kern
>Synopsis: xdr_string might call strlen(3) on NULL
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Feb 09 14:10:01 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Jan Stary
>Release: FreeBSD 6.0-RELEASE-p1 i386
>Organization:
>Environment:
System: FreeBSD dell.stare.cz 6.0-RELEASE-p1 FreeBSD 6.0-RELEASE-p1 #3: Sat Jan
14 13:55:07 CET 2006 root at dell.stare.cz:/usr/obj/usr/src/sys/DELLLS i386
>Description:
The xdr_string(3) routine as present in usr/src/lib/libc/xdr/xdr.c
calls strlen() on the passed string during XDR_ENCODE, without
checking if it is NULL:
xdr_string(xdrs, cpp, maxsize) {
char *sp = *cpp; /* sp is the actual string pointer */
switch (xdrs->x_op) {
case XDR_ENCODE:
size = strlen(sp);
break;
>How-To-Repeat:
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <rpc/types.h>
#include <rpc/xdr.h>
int main() {
XDR xdrs;
char *string = NULL;
xdrs.x_ops = NULL;
xdrstdio_create(&xdrs, stdout, XDR_ENCODE);
if(NULL==xdrs.x_ops) {
fprintf(stderr, "x_ops still NULL after initialization!\n");
return 1;
}
string = NULL; /* this will make xdr_string dump a core */
/* string = strdup("this will get correctly encoded"); */
if(! xdr_string(&xdrs, &string, 64)) {
fprintf(stderr, "cannot XDR_ENCODE string!\n");
return 1;
}
xdr_destroy(&xdrs);
free(string);
return 0;
}
>Fix:
The routine should probably check if (sp == NULL), and in that
case just return(FALSE);
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list