[Bug libc/1967] New: no parameter check in aio_return() in rt/aio_return.c

[Bug libc/1967] New: no parameter check in aio_return() in rt/aio_return.c

[heiko dot nardmann at secunet dot com]

In function aio_return() in rt/aio_return.c the parameter aiocbp is not checked 
against NULL before dereferencing: 
 
ssize_t 
aio_return (aiocbp) 
     struct aiocb *aiocbp; 
{ 
  return aiocbp->__return_value; 
}

-- 
           Summary: no parameter check in aio_return() in rt/aio_return.c
           Product: glibc
           Version: 2.3.5
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: heiko dot nardmann at secunet dot com
                CC: glibc-bugs at sources dot redhat dot com


http://sourceware.org/bugzilla/show_bug.cgi?id=1967

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/1967] no parameter check in aio_return() in rt/aio_return.c

[heiko dot nardmann at secunet dot com]

------- Additional Comments From heiko dot nardmann at secunet dot com  2005-12-02 08:40 -------
The same for aio_error() in rt/aio_error.c: 
 
int 
aio_error (aiocbp) 
     const struct aiocb *aiocbp; 
{ 
  return aiocbp->__error_code; 
} 

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=1967

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/1967] no parameter check in aio_return() in rt/aio_return.c

[jakub at redhat dot com]

------- Additional Comments From jakub at redhat dot com  2005-12-02 08:46 -------
Please stop with this.  There are hundreds of such functions in glibc,
and bad arguments are intentionally not checked in them, among other for
performance reasons.
http://www.opengroup.org/onlinepubs/009695399/functions/aio_return.html
doesn't allow the aiocbp argument to be NULL, it must be a reference to
a valid aiocb structure which NULL is not.
From
http://www.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_03.html#tag_02_03
you can see that it is allowed to return -1 and EFAULT in errno in that case,
but it is not guaranteed.
Furthermore, even if you add a check for NULL, aio_return ((struct aiocb *)28);
would still crash and there is really no difference between NULL and (struct
aiocb *)28 as far as this function is concerned.  Both are invalid arguments,
triggering undefined behaviour.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID


http://sourceware.org/bugzilla/show_bug.cgi?id=1967

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.