[Bug libc/3355] New: strnlen() accesses memory locations beyond (s + maxlen)

[Bug libc/3355] New: strnlen() accesses memory locations beyond (s + maxlen)

[kris dot van dot hees at oracle dot com]

Our testing has shown that glibc (all versions since 2.3.2 incl. CVS HEAD as of
Oct 12th, 2006 at 10:28 - have not tested earlier versions) implements strnlen()
in a way where memory locations (bytes) may be accessed beyond maxlen bytes from
the starting pointer.

Two problems exist (s is the starting pointer, maxlen is the byte count:
    1) The first loop looking at bytes up to the first long-aligned boundary
       will access bytes up to that boundary, even if (s + maxlen) refers to
       a memory location between s and the first long-alignment boundary.
    2) The second loop (running through the string 4 or 8 bytes at a time) can
       access memory locations beyond (s + maxlen) if (s + maxlen) does not end
       at the last byte in a long.  In that case, the remaining bytes are still
       accessed, even though they occur beyond (s + maxlen).

The following code fragment shows this problem:
-------------------------------------------------------------------------
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main() {
    char        *s      = (char *)malloc(3);
    char        *t      = (char *)malloc(8);

    s[1] = 'a';
    s[2] = 'b';

    t[0] = 'a';
    t[1] = 'b';
    t[2] = 'c';
    t[3] = 'd';
    t[4] = 'e';
    t[5] = '\0';

    printf("\t%p -> %ld\n", s + 1, my_strnlen(s + 1, 1));
    free(s);

    printf("\t%p -> %ld\n", t, my_strnlen(t, 0));
    printf("\t%p -> %ld\n", t, my_strnlen(t, 1));
    printf("\t%p -> %ld\n", t, my_strnlen(t, 2));
    printf("\t%p -> %ld\n", t, my_strnlen(t, 3));
    printf("\t%p -> %ld\n", t, my_strnlen(t, 4));
    printf("\t%p -> %ld\n", t, my_strnlen(t, 5));
    free(t);

    exit(0);
}
-------------------------------------------------------------------------

The problem is clearly visible when executing this using valgrind *provided* you
copy the strnlen() implementation from the glibc sources and renamr the function
to be my_strnlen().  Reason for this is that valgrind() otherwise will use its
own implementation of strnlen() which is slower but safe.

The attached patch file (against CVS) solves the problem with (as far as I can
determine) minimal performance impact.

-- 
           Summary: strnlen() accesses memory locations beyond (s + maxlen)
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: kris dot van dot hees at oracle dot com
                CC: glibc-bugs at sources dot redhat dot com
 GCC build triplet: i686-pc-linux-gnu
  GCC host triplet: i686-pc-linux-gnu
GCC target triplet: i686-pc-linux-gnu


http://sourceware.org/bugzilla/show_bug.cgi?id=3355

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/3355] strnlen() accesses memory locations beyond (s + maxlen)

[kris dot van dot hees at oracle dot com]

------- Additional Comments From kris dot van dot hees at oracle dot com  2006-10-12 14:51 -------
Created an attachment (id=1372)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=1372&action=view)
Patch for strnlen() illegal access problem

This patch resolves the two issues mentioned in the bug report.  The
performance impact of the changes should be minimal.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=3355

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/3355] strnlen() accesses memory locations beyond (s + maxlen)

[drepper at redhat dot com]

------- Additional Comments From drepper at redhat dot com  2006-10-12 20:48 -------
This is by design.  The application cannot see any difference.  There never will
be any segfaults because of that.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX


http://sourceware.org/bugzilla/show_bug.cgi?id=3355

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/3355] strnlen() accesses memory locations beyond (s + maxlen)

[kris dot van dot hees at oracle dot com]

------- Additional Comments From kris dot van dot hees at oracle dot com  2006-10-12 23:48 -------
If this is by design, I'll see check to log a bug against the manpage for
strnlen (at least on linux, haven't check manpage for other ports) because the
manpage currently explicitly states:

       The  strnlen  function  returns  the number of characters in the string
       pointed to by s, not including the terminating '\0' character,  but  at
       most  maxlen.  In  doing  this,  strnlen looks only at the first maxlen
       characters at s and never beyond s+maxlen.

That last sentence is clearly not in sync with the implementation.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=3355

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/3355] strnlen() accesses memory locations beyond (s + maxlen)

[drepper at redhat dot com]

------- Additional Comments From drepper at redhat dot com  2006-10-13 04:31 -------
There is no bug anywhere except in your understanding what the runtime is
supposed to do.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=3355

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.