From owner-freebsd-bugs@FreeBSD.ORG Fri Feb 11 01:50:20 2005 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31BA816A4CE for ; Fri, 11 Feb 2005 01:50:20 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id D56CE43D49 for ; Fri, 11 Feb 2005 01:50:19 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j1B1oJBP095513 for ; Fri, 11 Feb 2005 01:50:19 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j1B1oJh6095512; Fri, 11 Feb 2005 01:50:19 GMT (envelope-from gnats) Resent-Date: Fri, 11 Feb 2005 01:50:19 GMT Resent-Message-Id: <200502110150.j1B1oJh6095512@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Ed Maste Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B221116A4CE for ; Fri, 11 Feb 2005 01:46:34 +0000 (GMT) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B7DC43D1D for ; Fri, 11 Feb 2005 01:46:34 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j1B1kYd6021383 for ; Fri, 11 Feb 2005 01:46:34 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id j1B1kYwS021382; Fri, 11 Feb 2005 01:46:34 GMT (envelope-from nobody) Message-Id: <200502110146.j1B1kYwS021382@www.freebsd.org> Date: Fri, 11 Feb 2005 01:46:34 GMT From: Ed Maste To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-2.3 Subject: misc/77369: [PATCH] strnstr(3) can read beyond specified length X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Feb 2005 01:50:20 -0000 >Number: 77369 >Category: misc >Synopsis: [PATCH] strnstr(3) can read beyond specified length >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Feb 11 01:50:19 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Ed Maste >Release: 5.3-RELEASE-p2 >Organization: Sandvine Inc. >Environment: >Description: strstr(3) states The strnstr() function locates the first occurrence of the null-terminated string little in the string big, where not more than len characters are searched. (It does not explicitly mention whether string big must be null terminated or not.) However, strnstr may actually read one character more than len if the string is not null-terminated. >How-To-Repeat: strnstrtest.c: #include #include #define PAGE_SIZE 4096 int main(int argc, char *argv[]) { char *str; char *buf=malloc(PAGE_SIZE); memset(buf, '-', PAGE_SIZE); str=strnstr(buf, "little", PAGE_SIZE); printf("strnstr returned %p\n", str); } $ cc -g strnstrtest.c -o strnstrtest $ ./strnstrtest Segmentation fault (core dumped) >Fix: --- src/lib/libc/string/strnstr.c.orig +++ src/lib/libc/string/strnstr.c @@ -60,7 +60,7 @@ len = strlen(find); do { do { - if ((sc = *s++) == '\0' || slen-- < 1) + if (slen-- < 1 || (sc = *s++) == '\0') return (NULL); } while (sc != c); if (len > slen) >Release-Note: >Audit-Trail: >Unformatted: