This is the mail archive of the newlib@sourceware.org mailing list for the newlib project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: strndup bug [fix included]

From: Jeff Johnston <jjohnstn at redhat dot com>
To: David Carne <davidcarne at gmail dot com>
Cc: newlib at sourceware dot org
Date: Mon, 13 Feb 2006 12:33:15 -0500
Subject: Re: strndup bug [fix included]
References: <87ae5fc80602101228s15083ca3t48f8547f8be26da@mail.gmail.com>

Thanks David. Fixes have been checked in. The logic in strnlen needed tweaking because it was looking for the nul terminator before checking the max limit so one could end up getting an access failure, even though the n value should have stopped it from happening.

-- Jeff J.

David Carne wrote:

Issue:
strndup crashes [sometimes] when presented with a non-null terminated
source string, even if the length parameter is within the bounds of
the source string.

The problem is caused by:
size_t len = MIN(strlen (str), n); [Line 13, newlib/libc/string/strndup_r.c]

The strlen will attempt to measure the length of the entire string
before comparison with the length parameter, which is not only
inefficient, but causes the bug noted above ;).

The fix is to replace strlen (str) with strnlen(str, n) - and since
the MIN then becomes irrelevant, line 13 could be replaced with

size_t len = strnlen (str, n);

Cheers,

--David Carne

References:
- strndup bug [fix included]
  - From: David Carne

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]