Hello! xmalloc is guaranteed to return non-NULL. If it were to return NULL, BIRD would die instead. That's why it's xmalloc and not malloc. Maria On April 27, 2020 5:26:58 AM GMT+02:00, liupeiyu@zju.edu.cn wrote:
Hi,
In lib/string.h line 38,
static inline char * xstrdup(const char *c) { size_t l = strlen(c) + 1; // xmalloc may fail, and z will be NULL. char *z = xmalloc(l); // write to a NULL pointer, crash. memcpy(z, c, l); return z; }
I think this is a vulnerability, and maybe we can fix it as following:
static inline char * xstrdup(const char *c) { size_t l = strlen(c) + 1; char *z = xmalloc(1); if(z) { memcpy(z, c, l); return z; } else return -1; }
Thanks for any consideration!
Peiyu Liu, NESA lab, Zhejiang University
--
-----原始邮件----- 发件人:liupeiyu@zju.edu.cn 发送时间:2020-04-27 10:06:41 (星期一) 收件人:bird-users@network.cz 抄送: 主题:Vulnerability? Bug? Missing check after xmalloc() in xstrdup().
Hi,
In lib/string.h line 38,
static inline char * xstrdup(const char *c) { size_t l = strlen(c) + 1; // xmalloc may fail, and z will be NULL. char *z = xmalloc(l); // write to a NULL pointer, crash. memcpy(z, c, l); return z; }
I think this is a vulnerability, and maybe we can fix it as following:
static inline char * xstrdup(const char *c) { size_t l = strlen(c) + 1; char *z = xmalloc(1); if(z) { memcpy(z, c, l); return z; } else return -1; }
Thanks for any consideration!
Peiyu Liu, NESA lab, Zhejiang University
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.