Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 12 Jan 2001 19:02:01 +0000
From:      Tony Finch <dot@dotat.at>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   bin/24278: strlcat may read from inaccessible memory
Message-ID:  <E14H9Sb-000GKE-00@hand.dotat.at>
next in thread | raw e-mail | index | archive | help 

>Number:         24278
>Category:       bin
>Synopsis:       strlcat may read from inaccessible memory
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 12 11:10:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     Tony Finch
>Release:        FreeBSD 4.2-BETA-20001113 i386
>Organization:
Covalent Technologies, Inc.
>Environment:

FreeBSD hand.dotat.at 4.2-BETA-20001113 FreeBSD 4.2-BETA-20001113 #0: Tue Nov 14 00:42:35 UTC 2000     fanf@hand.dotat.at:/FreeBSD/obj/FreeBSD/releng4/sys/DELL-Latitude-CPx  i386

The problem appears to exist in all versions of strlcat

>Description:

If the buffer size passed to strlcat is zero then it still reads a byte from
the destination buffer when working out its length. This can cause the
program to crash if the destination pointer is just after the end of a
malloced buffer, for example.

This problem was discovered by Richard Kettlewell <rjk@greenend.org.uk>

>How-To-Repeat:

strlcat(0, "foo", 0);

>Fix:

Index: strlcat.c
===================================================================
RCS file: /home/ncvs/src/lib/libc/string/strlcat.c,v
retrieving revision 1.2
diff -u -r1.2 strlcat.c
--- strlcat.c	1999/08/10 05:58:57	1.2
+++ strlcat.c	2001/01/12 18:48:35
@@ -51,7 +51,7 @@
 	size_t dlen;
 
 	/* Find the end of dst and adjust bytes left but don't go past end */
-	while (*d != '\0' && n-- != 0)
+	while (n-- != 0 && *d != '\0')
 		d++;
 	dlen = d - dst;
 	n = siz - dlen;

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E14H9Sb-000GKE-00>