From owner-freebsd-current  Sat Oct 14 15:49:20 1995
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.6.12/8.6.6) id PAA21136
          for current-outgoing; Sat, 14 Oct 1995 15:49:20 -0700
Received: from irbs.irbs.com (irbs.com [199.182.75.129])
          by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id PAA21131
          for <freebsd-current@freefall.freebsd.org>; Sat, 14 Oct 1995 15:49:16 -0700
Received: (from jc@localhost) by irbs.irbs.com (8.6.12/8.6.6) id SAA14930; Sat, 14 Oct 1995 18:48:36 -0400
From: John Capo <jc@irbs.com>
Message-Id: <199510142248.SAA14930@irbs.irbs.com>
Subject: Re: phkmalloc and X programs
To: terry@lambert.org (Terry Lambert)
Date: Sat, 14 Oct 1995 18:48:35 -0400 (EDT)
Cc: jc@irbs.com, freebsd-current@freefall.freebsd.org
In-Reply-To: <199510142136.OAA21875@phaeton.artisoft.com> from "Terry Lambert" at Oct 14, 95 02:36:26 pm
X-Mailer: ELM [version 2.4 PL24]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Length: 1542      
Sender: owner-current@FreeBSD.org
Precedence: bulk

Terry Lambert writes:
> 
> > Here is another broken X program.  Notice the assumption that
> > malloc() returns zeroed memory.
> > 
> > xhost.c:
> > 
> >     namelen = strlen(name);
> >     if ((lname = (char *)malloc(namelen)) == NULL) {
> >         fprintf (stderr, "%s: malloc bombed in change_host\n", ProgramName);
> >         exit (1);
> >     }
> >     for (i = 0; i < namelen; i++) {
> >         lname[i] = tolower(name[i]);
> >     }
> >     if (!strncmp("inet:", lname, 5)) {
> >     ...
> >     ...
> 
> The only assumption in this code is that namelen is >= 5.
> 
> There is no assumption of numm termination on the lname string implicit
> in the malloc; if there were, it would be "namelen = strlen(name) + 1;".
> 
> 
Ok, I didn't include enough code fragments.  Further down in the code:

    if (family == FamilyWild && (cp = strchr(lname, ':'))) {
        *cp = '\0';
        fprintf (stderr, "%s: unknown address family \"%s\"\n",
                 ProgramName, lname);
        return 0;
    }

lname is not NULL terminated unless malloc() returns zeroed memory.
I have never seen anything that states that malloc() returns zeroed
memory nor have I seen bzero/memset in the BSD malloc() sources.

Here is the failure:
xhost +cleat
xhost: unknown address family "cleatPPPPPPPPPPP0PPPPPPPPPPPPPPPs0).O\e"
xhost:  bad hostname "cleat"

strchr() wanders off through memory till it finds a ':' or a '\0'. In my case
it finds a ':' not too far away.

John Capo
IRBS Engineering                      High performance FreeBSD systems