This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/3355] New: strnlen() accesses memory locations beyond (s + maxlen)
- From: "kris dot van dot hees at oracle dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: 12 Oct 2006 14:50:37 -0000
- Subject: [Bug libc/3355] New: strnlen() accesses memory locations beyond (s + maxlen)
- Reply-to: sourceware-bugzilla at sourceware dot org
Our testing has shown that glibc (all versions since 2.3.2 incl. CVS HEAD as of
Oct 12th, 2006 at 10:28 - have not tested earlier versions) implements strnlen()
in a way where memory locations (bytes) may be accessed beyond maxlen bytes from
the starting pointer.
Two problems exist (s is the starting pointer, maxlen is the byte count:
1) The first loop looking at bytes up to the first long-aligned boundary
will access bytes up to that boundary, even if (s + maxlen) refers to
a memory location between s and the first long-alignment boundary.
2) The second loop (running through the string 4 or 8 bytes at a time) can
access memory locations beyond (s + maxlen) if (s + maxlen) does not end
at the last byte in a long. In that case, the remaining bytes are still
accessed, even though they occur beyond (s + maxlen).
The following code fragment shows this problem:
-------------------------------------------------------------------------
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main() {
char *s = (char *)malloc(3);
char *t = (char *)malloc(8);
s[1] = 'a';
s[2] = 'b';
t[0] = 'a';
t[1] = 'b';
t[2] = 'c';
t[3] = 'd';
t[4] = 'e';
t[5] = '\0';
printf("\t%p -> %ld\n", s + 1, my_strnlen(s + 1, 1));
free(s);
printf("\t%p -> %ld\n", t, my_strnlen(t, 0));
printf("\t%p -> %ld\n", t, my_strnlen(t, 1));
printf("\t%p -> %ld\n", t, my_strnlen(t, 2));
printf("\t%p -> %ld\n", t, my_strnlen(t, 3));
printf("\t%p -> %ld\n", t, my_strnlen(t, 4));
printf("\t%p -> %ld\n", t, my_strnlen(t, 5));
free(t);
exit(0);
}
-------------------------------------------------------------------------
The problem is clearly visible when executing this using valgrind *provided* you
copy the strnlen() implementation from the glibc sources and renamr the function
to be my_strnlen(). Reason for this is that valgrind() otherwise will use its
own implementation of strnlen() which is slower but safe.
The attached patch file (against CVS) solves the problem with (as far as I can
determine) minimal performance impact.
--
Summary: strnlen() accesses memory locations beyond (s + maxlen)
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: drepper at redhat dot com
ReportedBy: kris dot van dot hees at oracle dot com
CC: glibc-bugs at sources dot redhat dot com
GCC build triplet: i686-pc-linux-gnu
GCC host triplet: i686-pc-linux-gnu
GCC target triplet: i686-pc-linux-gnu
http://sourceware.org/bugzilla/show_bug.cgi?id=3355
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.