Hello!
xmalloc is guaranteed to return non-NULL. If it were to return NULL, BIRD would
die instead. That's why it's xmalloc and not malloc.
Maria
On April 27, 2020 5:26:58 AM GMT+02:00, liupe...@zju.edu.cn wrote:
>Hi,
>
>In lib/string.h line 38,
>
>static inline char *
>xstrdup(const char *c)
>{
> size_t l = strlen(c) + 1;
> // xmalloc may fail, and z will be NULL.
> char *z = xmalloc(l);
> // write to a NULL pointer, crash.
> memcpy(z, c, l);
> return z;
>}
>
>I think this is a vulnerability, and maybe we can fix it as following:
>
>static inline char *
>xstrdup(const char *c)
>{
> size_t l = strlen(c) + 1;
> char *z = xmalloc(1);
> if(z)
> {
> memcpy(z, c, l);
> return z;
> }
> else return -1;
>}
>
>Thanks for any consideration!
>
>Peiyu Liu,
>NESA lab,
>Zhejiang University
>
>
>
>--
>
>-----原始邮件-----
>发件人:liupe...@zju.edu.cn
>发送时间:2020-04-27 10:06:41 (星期一)
>收件人:bird-users@network.cz
>抄送:
>主题:Vulnerability? Bug? Missing check after xmalloc() in xstrdup().
>
>Hi,
>
>In lib/string.h line 38,
>
>static inline char *
>xstrdup(const char *c)
>{ size_t l = strlen(c) + 1;
>// xmalloc may fail, and z will be NULL.
>char *z = xmalloc(l);
>// write to a NULL pointer, crash.
>memcpy(z, c, l);
>return z;
>}
>
>I think this is a vulnerability, and maybe we can fix it as following:
>
>
>static inline char *
>xstrdup(const char *c)
>{
>size_t l = strlen(c) + 1;
>char *z = xmalloc(1);
>if(z)
>{
>memcpy(z, c, l);
>return z;
>}
>else return -1;
>}
>
>Thanks for any consideration!
>
>Peiyu Liu,
>NESA lab,
>Zhejiang University
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
