Vulnerability? Bug? Missing check after xmalloc() in xstrdup().
Hi,In lib/string.h line 38,staticinlinechar*xstrdup(constchar*c){size_tl=strlen(c)+1;// xmalloc may fail, and z will be NULL. char*z=xmalloc(l);// write to a NULL pointer, crash. memcpy(z,c,l);returnz;}I think this is a vulnerability, and maybe we can fix it as following:staticinlinechar*xstrdup(constchar*c){size_tl=strlen(c)+1;char*z=xmalloc(l); if(z) { memcpy(z,c,l);returnz; } else return -1;}Thanks for any consideration!Peiyu Liu, NESA lab, Zhejiang University
Hi, In lib/string.h line 38, static inline char * xstrdup(const char *c) { size_t l = strlen(c) + 1; // xmalloc may fail, and z will be NULL. char *z = xmalloc(l); // write to a NULL pointer, crash. memcpy(z, c, l); return z; } I think this is a vulnerability, and maybe we can fix it as following: static inline char * xstrdup(const char *c) { size_t l = strlen(c) + 1; char *z = xmalloc(1); if(z) { memcpy(z, c, l); return z; } else return -1; } Thanks for any consideration! Peiyu Liu, NESA lab, Zhejiang University -- -----原始邮件----- 发件人:liupeiyu@zju.edu.cn 发送时间:2020-04-27 10:06:41 (星期一) 收件人:bird-users@network.cz 抄送: 主题:Vulnerability? Bug? Missing check after xmalloc() in xstrdup(). Hi, In lib/string.h line 38, static inline char * xstrdup(const char *c) { size_t l = strlen(c) + 1; // xmalloc may fail, and z will be NULL. char *z = xmalloc(l); // write to a NULL pointer, crash. memcpy(z, c, l); return z; } I think this is a vulnerability, and maybe we can fix it as following: static inline char * xstrdup(const char *c) { size_t l = strlen(c) + 1; char *z = xmalloc(1); if(z) { memcpy(z, c, l); return z; } else return -1; } Thanks for any consideration! Peiyu Liu, NESA lab, Zhejiang University
Hello! xmalloc is guaranteed to return non-NULL. If it were to return NULL, BIRD would die instead. That's why it's xmalloc and not malloc. Maria On April 27, 2020 5:26:58 AM GMT+02:00, liupeiyu@zju.edu.cn wrote:
Hi,
In lib/string.h line 38,
static inline char * xstrdup(const char *c) { size_t l = strlen(c) + 1; // xmalloc may fail, and z will be NULL. char *z = xmalloc(l); // write to a NULL pointer, crash. memcpy(z, c, l); return z; }
I think this is a vulnerability, and maybe we can fix it as following:
static inline char * xstrdup(const char *c) { size_t l = strlen(c) + 1; char *z = xmalloc(1); if(z) { memcpy(z, c, l); return z; } else return -1; }
Thanks for any consideration!
Peiyu Liu, NESA lab, Zhejiang University
--
-----原始邮件----- 发件人:liupeiyu@zju.edu.cn 发送时间:2020-04-27 10:06:41 (星期一) 收件人:bird-users@network.cz 抄送: 主题:Vulnerability? Bug? Missing check after xmalloc() in xstrdup().
Hi,
In lib/string.h line 38,
static inline char * xstrdup(const char *c) { size_t l = strlen(c) + 1; // xmalloc may fail, and z will be NULL. char *z = xmalloc(l); // write to a NULL pointer, crash. memcpy(z, c, l); return z; }
I think this is a vulnerability, and maybe we can fix it as following:
static inline char * xstrdup(const char *c) { size_t l = strlen(c) + 1; char *z = xmalloc(1); if(z) { memcpy(z, c, l); return z; } else return -1; }
Thanks for any consideration!
Peiyu Liu, NESA lab, Zhejiang University
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
participants (2)
-
liupeiyu@zju.edu.cn -
Maria Matějka