Our testing has shown that glibc (all versions since 2.3.2 incl. CVS HEAD as of Oct 12th, 2006 at 10:28 - have not tested earlier versions) implements strnlen() in a way where memory locations (bytes) may be accessed beyond maxlen bytes from the starting pointer. Two problems exist (s is the starting pointer, maxlen is the byte count: 1) The first loop looking at bytes up to the first long-aligned boundary will access bytes up to that boundary, even if (s + maxlen) refers to a memory location between s and the first long-alignment boundary. 2) The second loop (running through the string 4 or 8 bytes at a time) can access memory locations beyond (s + maxlen) if (s + maxlen) does not end at the last byte in a long. In that case, the remaining bytes are still accessed, even though they occur beyond (s + maxlen). The following code fragment shows this problem: ------------------------------------------------------------------------- #include <stdio.h> #include <string.h> #include <stdlib.h> int main() { char *s = (char *)malloc(3); char *t = (char *)malloc(8); s[1] = 'a'; s[2] = 'b'; t[0] = 'a'; t[1] = 'b'; t[2] = 'c'; t[3] = 'd'; t[4] = 'e'; t[5] = '\0'; printf("\t%p -> %ld\n", s + 1, my_strnlen(s + 1, 1)); free(s); printf("\t%p -> %ld\n", t, my_strnlen(t, 0)); printf("\t%p -> %ld\n", t, my_strnlen(t, 1)); printf("\t%p -> %ld\n", t, my_strnlen(t, 2)); printf("\t%p -> %ld\n", t, my_strnlen(t, 3)); printf("\t%p -> %ld\n", t, my_strnlen(t, 4)); printf("\t%p -> %ld\n", t, my_strnlen(t, 5)); free(t); exit(0); } ------------------------------------------------------------------------- The problem is clearly visible when executing this using valgrind *provided* you copy the strnlen() implementation from the glibc sources and renamr the function to be my_strnlen(). Reason for this is that valgrind() otherwise will use its own implementation of strnlen() which is slower but safe. The attached patch file (against CVS) solves the problem with (as far as I can determine) minimal performance impact.
Created attachment 1372 [details] Patch for strnlen() illegal access problem This patch resolves the two issues mentioned in the bug report. The performance impact of the changes should be minimal.
This is by design. The application cannot see any difference. There never will be any segfaults because of that.
If this is by design, I'll see check to log a bug against the manpage for strnlen (at least on linux, haven't check manpage for other ports) because the manpage currently explicitly states: The strnlen function returns the number of characters in the string pointed to by s, not including the terminating '\0' character, but at most maxlen. In doing this, strnlen looks only at the first maxlen characters at s and never beyond s+maxlen. That last sentence is clearly not in sync with the implementation.
There is no bug anywhere except in your understanding what the runtime is supposed to do.