The xdr_string(3) routine as present in usr/src/lib/libc/xdr/xdr.c calls strlen() on the passed string during XDR_ENCODE, without checking if it is NULL: xdr_string(xdrs, cpp, maxsize) { char *sp = *cpp; /* sp is the actual string pointer */ switch (xdrs->x_op) { case XDR_ENCODE: size = strlen(sp); break; Fix: The routine should probably check if (sp == NULL), and in that case just return(FALSE); How-To-Repeat: #include <string.h> #include <stdlib.h> #include <stdio.h> #include <rpc/types.h> #include <rpc/xdr.h> int main() { XDR xdrs; char *string = NULL; xdrs.x_ops = NULL; xdrstdio_create(&xdrs, stdout, XDR_ENCODE); if(NULL==xdrs.x_ops) { fprintf(stderr, "x_ops still NULL after initialization!\n"); return 1; } string = NULL; /* this will make xdr_string dump a core */ /* string = strdup("this will get correctly encoded"); */ if(! xdr_string(&xdrs, &string, 64)) { fprintf(stderr, "cannot XDR_ENCODE string!\n"); return 1; } xdr_destroy(&xdrs); free(string); return 0; }