From owner-freebsd-bugs@FreeBSD.ORG  Mon May 26 04:40:19 2003
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 64CBC37B401
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 26 May 2003 04:40:19 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 61A2A43F93
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 26 May 2003 04:40:18 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h4QBeIUp082667
	for <freebsd-bugs@freefall.freebsd.org>;
	Mon, 26 May 2003 04:40:18 -0700 (PDT)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h4QBeIqR082666;
	Mon, 26 May 2003 04:40:18 -0700 (PDT)
Resent-Date: Mon, 26 May 2003 04:40:18 -0700 (PDT)
Resent-Message-Id: <200305261140.h4QBeIqR082666@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Seva Gluschenko <gvs@rinet.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7BF0237B401
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 26 May 2003 04:35:02 -0700 (PDT)
Received: from road.demos.su (road.demos.su [194.87.2.211])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6CE4243F85
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 26 May 2003 04:35:01 -0700 (PDT)
	(envelope-from gvs@road.demos.su)
Received: from road.demos.su (localhost [127.0.0.1])
	by road.demos.su (8.12.8/8.12.8) with ESMTP id h4QBetww073194
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 26 May 2003 15:40:55 +0400 (MSD)
	(envelope-from gvs@road.demos.su)
Received: (from gvs@localhost)
	by road.demos.su (8.12.8/8.12.8/Submit) id h4QBetQx073193;
	Mon, 26 May 2003 15:40:55 +0400 (MSD)
Message-Id: <200305261140.h4QBetQx073193@road.demos.su>
Date: Mon, 26 May 2003 15:40:55 +0400 (MSD)
From: Seva Gluschenko <gvs@rinet.ru>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: bin/52691: str[n][case]cmp may cause segmentation violation with
	NULL pointers passed
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 26 May 2003 11:40:19 -0000


>Number:         52691
>Category:       bin
>Synopsis:       str[n][case]cmp may cause segmentation violation with NULL pointers passed
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 26 04:40:17 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Seva Gluschenko
>Release:        FreeBSD 4.8-RC i386
>Organization:
JSC Demos-Internet
>Environment:
System: FreeBSD road.demos.su 4.8-RC FreeBSD 4.8-RC #2: Tue Mar 4 15:43:13 MSK 2003 gvs@road.demos.su:/usr/local/obj/usr/local/src/sys/ROAD i386


	
>Description:
	Using libc's implementation of case-insensitive string comparison (str[n][case]cmp)
	is possible to have the segmentation violation because NULL pointers aren't checked
	and *p++ is used blindly. Any occasional call to these functions with one of string
	pointers is equal to NULL may catch signal 11 and cause program to die.
>How-To-Repeat:

	create the simplest test:

#include <string.h>

int main() {

	char *s1 = NULL, *s2 = NULL;

	return strcmp(s1, s2);
}

	> gcc -o test test.c
	> ./test
	Segmentation fault (core dumped)
>Fix:
	Apply patch below, rebuild and reinstall libc. Don't use
	str[n][case]cmp from libc until it's fixed unless you want your
	projects to die unexpectedly.

--- /usr/src/lib/libc/string/strcmp.c.orig	Mon May 26 15:35:59 2003
+++ /usr/src/lib/libc/string/strcmp.c	Mon May 26 15:37:05 2003
@@ -52,6 +52,8 @@
 strcmp(s1, s2)
 	register const char *s1, *s2;
 {
+	if (s1 == NULL || s2 == NULL)
+		return (0);
 	while (*s1 == *s2++)
 		if (*s1++ == 0)
 			return (0);
--- /usr/src/lib/libc/string/strncmp.c.orig	Mon May 26 15:35:52 2003
+++ /usr/src/lib/libc/string/strncmp.c	Mon May 26 15:36:36 2003
@@ -48,7 +48,7 @@
 	register size_t n;
 {
 
-	if (n == 0)
+	if (n == 0 || s1 == NULL || s2 == NULL)
 		return (0);
 	do {
 		if (*s1 != *s2++)
--- /usr/src/lib/libc/string/strcasecmp.c.orig	Mon May 26 15:01:42 2003
+++ /usr/src/lib/libc/string/strcasecmp.c	Mon May 26 15:03:54 2003
@@ -49,6 +49,7 @@
 strcasecmp(s1, s2)
 	const char *s1, *s2;
 {
+    if (s1 != NULL || s2 != NULL) {
 	register const u_char
 			*us1 = (const u_char *)s1,
 			*us2 = (const u_char *)s2;
@@ -57,6 +58,9 @@
 		if (*us1++ == '\0')
 			return (0);
 	return (tolower(*us1) - tolower(*--us2));
+    }
+    return 0;
+
 }
 
 int
@@ -64,7 +68,7 @@
 	const char *s1, *s2;
 	register size_t n;
 {
-	if (n != 0) {
+	if (s1 != NULL && s2 != NULL && n != 0) {
 		register const u_char
 				*us1 = (const u_char *)s1,
 				*us2 = (const u_char *)s2;
>Release-Note:
>Audit-Trail:
>Unformatted: