From owner-freebsd-current  Sat Oct 14 19:25:11 1995
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.6.12/8.6.6) id TAA26340
          for current-outgoing; Sat, 14 Oct 1995 19:25:11 -0700
Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211])
          by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id TAA26335
          for <freebsd-current@freefall.freebsd.org>; Sat, 14 Oct 1995 19:25:06 -0700
Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id TAA22252; Sat, 14 Oct 1995 19:19:54 -0700
From: Terry Lambert <terry@lambert.org>
Message-Id: <199510150219.TAA22252@phaeton.artisoft.com>
Subject: Re: phkmalloc and X programs
To: bde@zeta.org.au (Bruce Evans)
Date: Sat, 14 Oct 1995 19:19:54 -0700 (MST)
Cc: jc@irbs.com, terry@lambert.org, freebsd-current@freefall.freebsd.org
In-Reply-To: <199510142235.IAA27701@godzilla.zeta.org.au> from "Bruce Evans" at Oct 15, 95 08:35:20 am
X-Mailer: ELM [version 2.4 PL24]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Length: 1621      
Sender: owner-current@FreeBSD.org
Precedence: bulk

> 
> >> Here is another broken X program.  Notice the assumption that
> >> malloc() returns zeroed memory.
> >> 
> >> xhost.c:
> >> 
> >>     namelen = strlen(name);
> >>     if ((lname = (char *)malloc(namelen)) == NULL) {
> >>         fprintf (stderr, "%s: malloc bombed in change_host\n", ProgramName);
> >>         exit (1);
> >>     }
> >>     for (i = 0; i < namelen; i++) {
> >>         lname[i] = tolower(name[i]);
> >>     }
> >>     if (!strncmp("inet:", lname, 5)) {
> >>     ...
> >>     ...
> 
> >The only assumption in this code is that namelen is >= 5.
> 
> Nope.  Suppose lname is initially "INOT:" and name is "inet"

Then namelen < 5 (== 4) and the code fails.  I already said that that
was the assumption.  8-).

Probably the "correct" "fix" is to change:
	if (!strncmp("inet:", lname, 5)) {
To:
	if (namelen >= 5 && !strncmp("inet:", lname, 5)) {

> >There is no assumption of numm termination on the lname string implicit
> >in the malloc; if there were, it would be "namelen = strlen(name) + 1;".
> 
> That may be why the author thought that termination was unnecessary.

The author thought that the allocated area was >= 5 for any namelen,
making an assumption about the way the malloc on his system functioned,
such that lname[0..4] was an addressable location.

If the allocated area happened to contain "xxet:" and name was "in", it
would falsely hit positive.

This is statistically highly improbable.  Likely the code will function
in common use anyway.


					Terry Lambert
					terry@lambert.org
---
Any opinions in this posting are my own and not those of my present
or previous employers.