Hello! xmalloc is guaranteed to return non-NULL. If it were to return NULL, BIRD would die instead. That's why it's xmalloc and not malloc. Maria
On April 27, 2020 5:26:58 AM GMT+02:00, liupe...@zju.edu.cn wrote: >Hi, > >In lib/string.h line 38, > >static inline char * >xstrdup(const char *c) >{ > size_t l = strlen(c) + 1; > // xmalloc may fail, and z will be NULL. > char *z = xmalloc(l); > // write to a NULL pointer, crash. > memcpy(z, c, l); > return z; >} > >I think this is a vulnerability, and maybe we can fix it as following: > >static inline char * >xstrdup(const char *c) >{ > size_t l = strlen(c) + 1; > char *z = xmalloc(1); > if(z) > { > memcpy(z, c, l); > return z; > } > else return -1; >} > >Thanks for any consideration! > >Peiyu Liu, >NESA lab, >Zhejiang University > > > >-- > >-----原始邮件----- >发件人:liupe...@zju.edu.cn >发送时间:2020-04-27 10:06:41 (星期一) >收件人:bird-users@network.cz >抄送: >主题:Vulnerability? Bug? Missing check after xmalloc() in xstrdup(). > >Hi, > >In lib/string.h line 38, > >static inline char * >xstrdup(const char *c) >{ size_t l = strlen(c) + 1; >// xmalloc may fail, and z will be NULL. >char *z = xmalloc(l); >// write to a NULL pointer, crash. >memcpy(z, c, l); >return z; >} > >I think this is a vulnerability, and maybe we can fix it as following: > > >static inline char * >xstrdup(const char *c) >{ >size_t l = strlen(c) + 1; >char *z = xmalloc(1); >if(z) >{ >memcpy(z, c, l); >return z; >} >else return -1; >} > >Thanks for any consideration! > >Peiyu Liu, >NESA lab, >Zhejiang University -- Sent from my Android device with K-9 Mail. Please excuse my brevity.