On April 27, 2020 5:26:58 AM GMT+02:00, liupeiyu@zju.edu.cn wrote:

Hi,

In lib/string.h line 38,

static inline char * 
xstrdup(const char *c) 
{ 
    size_t l = strlen(c) + 1;
    // xmalloc may fail, and z will be NULL. 
    char *z = xmalloc(l);
    // write to a NULL pointer, crash. 
    memcpy(z, c, l); 
    return z; 
} 

I think this is a vulnerability, and maybe we can fix it as following:

static inline char * 
xstrdup(const char *c) 
{ 
    size_t l = strlen(c) + 1;
    char *z = xmalloc(1);
    if(z)
    { 
        memcpy(z, c, l);
        return z;
    }
    else return -1; 
}

Thanks for any consideration!

Peiyu Liu, 
NESA lab, 
Zhejiang University



--

-----原始邮件-----
发件人:liupeiyu@zju.edu.cn
发送时间:2020-04-27 10:06:41 (星期一)
收件人:bird-users@network.cz
抄送: 
主题:Vulnerability? Bug?  Missing check after xmalloc() in xstrdup().

Hi,

In lib/string.h line 38,

static inline char * 
xstrdup(const char *c) 
{ size_t l = strlen(c) + 1;
// xmalloc may fail, and z will be NULL. 
char *z = xmalloc(l);
// write to a NULL pointer, crash. 
memcpy(z, c, l); 
return z; 
} 

I think this is a vulnerability, and maybe we can fix it as following:

 
static inline char * 
xstrdup(const char *c) 
{ 
size_t l = strlen(c) + 1;
char *z = xmalloc(1);
if(z)
{ 
memcpy(z, c, l);
return z;
}
else return -1; 
}

Thanks for any consideration!

Peiyu Liu, 
NESA lab, 
Zhejiang University