This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

asprintf() issue


Hello,

I have a question about asprintf(). There seems to be a practical issue with it.

The man page states:

    If memory allocation wasn't possible, or some other error
    occurs, these functions will return -1, and the contents
    of strp is undefined.

Note the "strp is undefined" part. This is correct, because there is
apparently no explicit specification that says anything otherwise.

The "practical" problem is this:

  o In the actual implementation, the contents of strp are
     _unmodified_ when an error occurs.
  o There is critical code out there that depends on this
     undocumented behavior (namely, systemd)
  o The maintainers of that critical code don't believe their
     code is doing anything wrong and refuse to change it:
     https://bugs.freedesktop.org/show_bug.cgi?id=90017

So... this is a great way to create an obscure security hole five
years from now, when someone optimizes asprintf() in a way that it
actually does clobber strp on error.

While IMHO he is technically in the wrong, our friend Leonnard has a
good point: a much simpler fix, which would make life easier for
programmers everywhere, would be to acknowledge reality by changing
the (currently implicit) specified behavior from "undefined" to an
explicit "unmodified", as this allows the caller to initialize strp to
NULL and get back a free()'able value whether or not there an error
occurs. (FWIW, FreeBSD sets *strp to NULL on error, which is even
friendlier to the programmer, because it no longer needs to be
initialized at all.)

Since "unmodified" is in fact how asprintf() currently behaves, adding
"unmodified" to the specified behavior would be backward compatible,
require no code change, make life easier for programmers, and close a
potential future security hole.

So... can we add "unmodified" to the specification for *strp when
asprintf() returns an error?

Thanks,
-Archie

-- 
Archie L. Cobbs


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]