Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 27 May 2003 12:57:25 +0400 (MSD)
From:      Seva Gluschenko <gvs@rinet.ru>
To:        Peter Pentchev <roam@ringlet.net>
Cc:        Dag-Erling Smorgrav <des@FreeBSD.org>
Subject:   Re: bin/52691: str[n][case]cmp may cause segmentation violationwith NULL pointers passed
Message-ID:  <20030527124544.Q33922@road.demos.su>
In-Reply-To: <20030527083139.GA513@straylight.oblivion.bg>
References:  <200305262053.h4QKr3GB026031@freefall.freebsd.org> <20030527083139.GA513@straylight.oblivion.bg>

next in thread | previous in thread | raw e-mail | index | archive | help
Message of Peter Pentchev at May 27 11:31 ...

PP> > DS> The bug is in the application that passes NULL to strcmp.

PP> > Well, sir, can you please quote me some ISO C89 or another standard
PP> > which allows str*cmp not to care about NULL pointers?

PP> I think that in this case, the burden just might be on the programmer;
PP> with all due respect, could you quote any part of the standard that
PP> specifies that str[n]cmp behaves in a special way about NULL pointers?
PP> In my experience, such behavior is usually explicitly documented, such
PP> as the EBADF or EINVAL error returns from select(2), under an 'ERRORS'
PP> or similar section of the standard.  The SUSv3 description of
PP> strncmp(3), available online for a free registration at
PP> http://www.unix-systems.org/single_unix_specification/, does not seem to
PP> mention NULL pointers or error conditions anywhere, except for the 'no
PP> errors are defined' sentence in the 'ERRORS' section.

Well, they aren't mentioned, really. But, what exactly programmer must
carry that burden - that one who passes NULL pointers to str*cmp (as
soon as they really NOT mentioned, one can suppose it IS safe?) or
that one who uses NULL pointers as if they weren't NULL (inside
str*cmp) and thus breaks any idea of programming style etc?

If I wasn't clear, the question is: who carries responsibility for
checking pointers, that one who passes or that one who uses?

The first answer of course satisfies those who wrote that code years
ago, because they shouldn't worry about clearance of their code now.

The second answer has more sense for me, however: one MUST care about
pointers he uses if he wants non-exploitable and non-crashable code.
If he refuses such a responsibility and wants to write the dirty and
blind code, one MUST document it, saying "these functions will crash
when NULL pointers are passed".

Not every man on the Earth has time and patience and the source code
of library functions to check out and to write test patterns proving
the behaviour. If it claims to be the library, it MUST be clear.

SY, Seva Gluschenko, just stranger on The Road.
Demos-Internet NOC	| GVS-RIPE | GVS3-RIPN



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030527124544.Q33922>