[Bug libc/3355] New: strnlen() accesses memory locations beyond (s + maxlen)

["kris dot van dot hees at oracle dot com" <sourceware-bugzilla@sourceware.org>]

Our testing has shown that glibc (all versions since 2.3.2 incl. CVS HEAD as of
Oct 12th, 2006 at 10:28 - have not tested earlier versions) implements strnlen()
in a way where memory locations (bytes) may be accessed beyond maxlen bytes from
the starting pointer.

Two problems exist (s is the starting pointer, maxlen is the byte count:
    1) The first loop looking at bytes up to the first long-aligned boundary
       will access bytes up to that boundary, even if (s + maxlen) refers to
       a memory location between s and the first long-alignment boundary.
    2) The second loop (running through the string 4 or 8 bytes at a time) can
       access memory locations beyond (s + maxlen) if (s + maxlen) does not end
       at the last byte in a long.  In that case, the remaining bytes are still
       accessed, even though they occur beyond (s + maxlen).

The following code fragment shows this problem:
-------------------------------------------------------------------------
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main() {
    char        *s      = (char *)malloc(3);
    char        *t      = (char *)malloc(8);

    s[1] = 'a';
    s[2] = 'b';

    t[0] = 'a';
    t[1] = 'b';
    t[2] = 'c';
    t[3] = 'd';
    t[4] = 'e';
    t[5] = '\0';

    printf("\t%p -> %ld\n", s + 1, my_strnlen(s + 1, 1));
    free(s);

    printf("\t%p -> %ld\n", t, my_strnlen(t, 0));
    printf("\t%p -> %ld\n", t, my_strnlen(t, 1));
    printf("\t%p -> %ld\n", t, my_strnlen(t, 2));
    printf("\t%p -> %ld\n", t, my_strnlen(t, 3));
    printf("\t%p -> %ld\n", t, my_strnlen(t, 4));
    printf("\t%p -> %ld\n", t, my_strnlen(t, 5));
    free(t);

    exit(0);
}
-------------------------------------------------------------------------

The problem is clearly visible when executing this using valgrind *provided* you
copy the strnlen() implementation from the glibc sources and renamr the function
to be my_strnlen().  Reason for this is that valgrind() otherwise will use its
own implementation of strnlen() which is slower but safe.

The attached patch file (against CVS) solves the problem with (as far as I can
determine) minimal performance impact.

-- 
           Summary: strnlen() accesses memory locations beyond (s + maxlen)
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: kris dot van dot hees at oracle dot com
                CC: glibc-bugs at sources dot redhat dot com
 GCC build triplet: i686-pc-linux-gnu
  GCC host triplet: i686-pc-linux-gnu
GCC target triplet: i686-pc-linux-gnu


http://sourceware.org/bugzilla/show_bug.cgi?id=3355

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.