Bug 3355

Summary: strnlen() accesses memory locations beyond (s + maxlen)
Product: glibc Reporter: Kris Van Hees <kris.van.hees>
Component: libcAssignee: Ulrich Drepper <drepper.fsp>
Status: RESOLVED WONTFIX    
Severity: normal CC: glibc-bugs
Priority: P2 Flags: fweimer: security-
Version: unspecified   
Target Milestone: ---   
Host: i686-pc-linux-gnu Target: i686-pc-linux-gnu
Build: i686-pc-linux-gnu Last reconfirmed:
Attachments: Patch for strnlen() illegal access problem

Description Kris Van Hees 2006-10-12 14:50:36 UTC 
Our testing has shown that glibc (all versions since 2.3.2 incl. CVS HEAD as of
Oct 12th, 2006 at 10:28 - have not tested earlier versions) implements strnlen()
in a way where memory locations (bytes) may be accessed beyond maxlen bytes from
the starting pointer.

Two problems exist (s is the starting pointer, maxlen is the byte count:
    1) The first loop looking at bytes up to the first long-aligned boundary
       will access bytes up to that boundary, even if (s + maxlen) refers to
       a memory location between s and the first long-alignment boundary.
    2) The second loop (running through the string 4 or 8 bytes at a time) can
       access memory locations beyond (s + maxlen) if (s + maxlen) does not end
       at the last byte in a long.  In that case, the remaining bytes are still
       accessed, even though they occur beyond (s + maxlen).

The following code fragment shows this problem:
-------------------------------------------------------------------------
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main() {
    char        *s      = (char *)malloc(3);
    char        *t      = (char *)malloc(8);

    s[1] = 'a';
    s[2] = 'b';

    t[0] = 'a';
    t[1] = 'b';
    t[2] = 'c';
    t[3] = 'd';
    t[4] = 'e';
    t[5] = '\0';

    printf("\t%p -> %ld\n", s + 1, my_strnlen(s + 1, 1));
    free(s);

    printf("\t%p -> %ld\n", t, my_strnlen(t, 0));
    printf("\t%p -> %ld\n", t, my_strnlen(t, 1));
    printf("\t%p -> %ld\n", t, my_strnlen(t, 2));
    printf("\t%p -> %ld\n", t, my_strnlen(t, 3));
    printf("\t%p -> %ld\n", t, my_strnlen(t, 4));
    printf("\t%p -> %ld\n", t, my_strnlen(t, 5));
    free(t);

    exit(0);
}
-------------------------------------------------------------------------

The problem is clearly visible when executing this using valgrind *provided* you
copy the strnlen() implementation from the glibc sources and renamr the function
to be my_strnlen().  Reason for this is that valgrind() otherwise will use its
own implementation of strnlen() which is slower but safe.

The attached patch file (against CVS) solves the problem with (as far as I can
determine) minimal performance impact.
Comment 1 Kris Van Hees 2006-10-12 14:51:59 UTC 
Created attachment 1372 [details]
Patch for strnlen() illegal access problem

This patch resolves the two issues mentioned in the bug report.  The
performance impact of the changes should be minimal.
Comment 2 Ulrich Drepper 2006-10-12 20:48:18 UTC 
This is by design.  The application cannot see any difference.  There never will
be any segfaults because of that.
Comment 3 Kris Van Hees 2006-10-12 23:48:07 UTC 
If this is by design, I'll see check to log a bug against the manpage for
strnlen (at least on linux, haven't check manpage for other ports) because the
manpage currently explicitly states:

       The  strnlen  function  returns  the number of characters in the string
       pointed to by s, not including the terminating '\0' character,  but  at
       most  maxlen.  In  doing  this,  strnlen looks only at the first maxlen
       characters at s and never beyond s+maxlen.

That last sentence is clearly not in sync with the implementation.
Comment 4 Ulrich Drepper 2006-10-13 04:31:03 UTC 
There is no bug anywhere except in your understanding what the runtime is
supposed to do.