Bug 93093 - [libc] xdr_string might call strlen(3) on NULL
Summary: [libc] xdr_string might call strlen(3) on NULL
Status: Closed Overcome By Events
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 6.0-RELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-02-09 14:10 UTC by Jan Stary
Modified: 2017-06-29 01:20 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Stary 2006-02-09 14:10:01 UTC 
	
	The xdr_string(3) routine as present in usr/src/lib/libc/xdr/xdr.c
	calls strlen() on the passed string during XDR_ENCODE, without
	checking if it is NULL:

	xdr_string(xdrs, cpp, maxsize) {
	char *sp = *cpp;  /* sp is the actual string pointer */
	switch (xdrs->x_op) {
	case XDR_ENCODE:
		size = strlen(sp);
		break;

Fix: 

The routine should probably check if (sp == NULL), and in that
	case just return(FALSE);
How-To-Repeat: 
#include <string.h>
#include <stdlib.h>
#include <stdio.h>

#include <rpc/types.h>
#include <rpc/xdr.h>


int main() {

	XDR xdrs;
	char *string = NULL;

	xdrs.x_ops = NULL;
	xdrstdio_create(&xdrs, stdout, XDR_ENCODE);

	if(NULL==xdrs.x_ops) {
		fprintf(stderr, "x_ops still NULL after initialization!\n");
		return 1;
	}
	
	string = NULL; /* this will make xdr_string dump a core */
	/* string = strdup("this will get correctly encoded"); */
	if(! xdr_string(&xdrs, &string, 64)) {
		fprintf(stderr, "cannot XDR_ENCODE string!\n");
		return 1;
	}

	xdr_destroy(&xdrs);
	free(string);

	return 0;
}