This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
asprintf() issue
- From: Archie Cobbs <archie dot cobbs at gmail dot com>
- To: libc-alpha at sourceware dot org
- Cc: mtk-manpages <mtk-manpages at gmail dot com>
- Date: Tue, 12 May 2015 08:53:05 -0500
- Subject: asprintf() issue
- Authentication-results: sourceware.org; auth=none
Hello,
I have a question about asprintf(). There seems to be a practical issue with it.
The man page states:
If memory allocation wasn't possible, or some other error
occurs, these functions will return -1, and the contents
of strp is undefined.
Note the "strp is undefined" part. This is correct, because there is
apparently no explicit specification that says anything otherwise.
The "practical" problem is this:
o In the actual implementation, the contents of strp are
_unmodified_ when an error occurs.
o There is critical code out there that depends on this
undocumented behavior (namely, systemd)
o The maintainers of that critical code don't believe their
code is doing anything wrong and refuse to change it:
https://bugs.freedesktop.org/show_bug.cgi?id=90017
So... this is a great way to create an obscure security hole five
years from now, when someone optimizes asprintf() in a way that it
actually does clobber strp on error.
While IMHO he is technically in the wrong, our friend Leonnard has a
good point: a much simpler fix, which would make life easier for
programmers everywhere, would be to acknowledge reality by changing
the (currently implicit) specified behavior from "undefined" to an
explicit "unmodified", as this allows the caller to initialize strp to
NULL and get back a free()'able value whether or not there an error
occurs. (FWIW, FreeBSD sets *strp to NULL on error, which is even
friendlier to the programmer, because it no longer needs to be
initialized at all.)
Since "unmodified" is in fact how asprintf() currently behaves, adding
"unmodified" to the specified behavior would be backward compatible,
require no code change, make life easier for programmers, and close a
potential future security hole.
So... can we add "unmodified" to the specification for *strp when
asprintf() returns an error?
Thanks,
-Archie
--
Archie L. Cobbs