Created attachment 147037 [details] patch -p0 against CURRENT. The internal istrsenvisx() routine overloaded the zero length value as a sentinel for "use strlen(3)." This is bad because the zero-length source string has a defined behavior and the pointer for a zero-length string may be completely bogus. Calling strlen(3) on a bogus pointer is bad. Instead, use ssize_t for the input string length and use a #defined constant MB_STRZ == (-1) as the sentinel for the nul-terminated strvis variants (strvis, etc). Sponsored by: EMC / Isilon storage division
Please submit this to NetBSD so we can merge from upstream.
Okay. I submitted it to NetBSD through their bug submission form. I don't have a URL back from them yet. The patch applies cleanly to lib/libc/gen/vis.c in NetBSD CVS.
Upstream: http://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=49185
Thanks! I'll get it merged.
Thanks! :)
A commit references this bug: Author: brooks Date: Mon Sep 8 19:26:22 UTC 2014 New revision: 271287 URL: http://svnweb.freebsd.org/changeset/base/271287 Log: Merge from NetBSD: PR/49185: Conrad Meyer: strvisx: Handle zero-length input strings gracefully. (don't abuse 0 to mean compute string length internally) PR: 193447 Submitted by: Conrad Meyer <conrad.meyer@isilon.com> MFC after: 1 month Changes: _U head/contrib/libc-vis/ head/contrib/libc-vis/vis.c
Committed in r271287. Will merge after 10.1 is out.
(In reply to Brooks Davis from comment #7) > Committed in r271287. Will merge after 10.1 is out. Thanks!
A commit references this bug: Author: brooks Date: Wed Oct 8 15:44:12 UTC 2014 New revision: 272753 URL: https://svnweb.freebsd.org/changeset/base/272753 Log: MFC r271287: Merge from NetBSD: PR/49185: Conrad Meyer: strvisx: Handle zero-length input strings gracefully. (don't abuse 0 to mean compute string length internally) PR: 193447 Submitted by: Conrad Meyer <conrad.meyer@isilon.com> Changes: _U stable/10/ stable/10/contrib/libc-vis/vis.c
A commit references this bug: Author: brooks Date: Wed Oct 8 15:58:30 UTC 2014 New revision: 272755 URL: https://svnweb.freebsd.org/changeset/base/272755 Log: MFC r271287: Merge from NetBSD: PR/49185: Conrad Meyer: strvisx: Handle zero-length input strings gracefully. (don't abuse 0 to mean compute string length internally) PR: 193447 Submitted by: Conrad Meyer <conrad.meyer@isilon.com> Changes: _U stable/9/ _U stable/9/contrib/libc-vis/ stable/9/contrib/libc-vis/vis.c _U stable/9/etc/ _U stable/9/etc/rc.d/ stable/9/etc/rc.d/devd _U stable/9/sbin/ _U stable/9/sbin/devd/ stable/9/sbin/devd/devd.cc _U stable/9/share/ _U stable/9/share/man/ _U stable/9/share/man/man4/ stable/9/share/man/man4/devctl.4 _U stable/9/tools/ _U stable/9/tools/tools/ _U stable/9/tools/tools/sysdoc/ stable/9/tools/tools/sysdoc/tunables.mdoc
stable/9 commit looks bad.
A commit references this bug: Author: brooks Date: Wed Oct 8 16:35:59 UTC 2014 New revision: 272760 URL: https://svnweb.freebsd.org/changeset/base/272760 Log: Revert botched r272755. PR: 193447 Changes: _U stable/9/ _U stable/9/contrib/libc-vis/ stable/9/contrib/libc-vis/vis.c _U stable/9/etc/ _U stable/9/etc/rc.d/ stable/9/etc/rc.d/devd _U stable/9/sbin/ _U stable/9/sbin/devd/ stable/9/sbin/devd/devd.cc _U stable/9/share/ _U stable/9/share/man/ _U stable/9/share/man/man4/ stable/9/share/man/man4/devctl.4 _U stable/9/tools/ _U stable/9/tools/tools/ _U stable/9/tools/tools/sysdoc/ stable/9/tools/tools/sysdoc/tunables.mdoc
A commit references this bug: Author: brooks Date: Tue Oct 21 16:44:04 UTC 2014 New revision: 273387 URL: https://svnweb.freebsd.org/changeset/base/273387 Log: MFC r271287: Merge from NetBSD: PR/49185: Conrad Meyer: strvisx: Handle zero-length input strings gracefully. (don't abuse 0 to mean compute string length internally) PR: 193447 Submitted by: Conrad Meyer <conrad.meyer@isilon.com> Changes: _U stable/9/contrib/libc-vis/ stable/9/contrib/libc-vis/vis.c
Merges complete, MFC metadata corrected.