Date: Mon, 29 Mar 1999 02:55:45 -0800 (PST) From: pete@iki.fi To: freebsd-gnats-submit@freebsd.org Subject: bin/10855: Memory allocation bug in usr/bin/strings.c Message-ID: <19990329105545.4C951153C6@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 10855
>Category: bin
>Synopsis: Memory allocation bug in usr/bin/strings.c
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Mar 29 03:00:01 PST 1999
>Closed-Date:
>Last-Modified:
>Originator: Petteri Holländer
>Release: -
>Organization:
>Environment:
I can see this on FreeBSD 3.0 stable (branches/3.0-stable) branch.
>Description:
Lines 140-142 in the file strings.c (/usr/bin/strings):
if (!(bfr = malloc((u_int)minlen)))
errx(1, "malloc");
bfr[minlen] = '\0';
..at the last line there is obviously a bug, due to the fact that bfr[minlen] does not belong to the malloc'd area?
Obviously this has not been a problem (luck?), but as far as I can tell, the code is broken.
>How-To-Repeat:
>Fix:
Change line 140 in the strings.c from:
if (!(bfr = malloc((u_int)minlen)))
to:
if (!(bfr = malloc((u_int)minlen+1)))
=> this should make referencing bfr[minlen] legal..
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990329105545.4C951153C6>