Closed Bug 400119 Opened 17 years ago Closed 16 years ago

Fix UMRs in getLibName()

Categories

(NSS :: Libraries, defect, P2)

Sun
Solaris

Tracking

(Not tracked)

RESOLVED FIXED
3.11.8

People

(Reporter: nelson, Assigned: nelson)

References

()

Details

Attachments

(1 file)

NSS function getLibName calls sysinfo() and then uses strstr to scan the 
result buffer for a certain string.  The code is:

>  74 const static char int_hybrid_isa[] = "sparcv8plus";
>  75 const static char fpu_hybrid_isa[] = "sparcv8plus+vis";

>  82     char * found_int_hybrid;
>  83     char * found_fpu_hybrid;
>  84     long buflen;
>  85     char buf[256];
>  86 
>  87     buflen = sysinfo(SI_ISALIST, buf, sizeof buf);
>  88     if (buflen <= 0) 
>  89         return NULL;

>  97     found_int_hybrid = strstr(buf, int_hybrid_isa);
>  98     found_fpu_hybrid = strstr(buf, fpu_hybrid_isa);

Purify reports UMR (Uninitialized Memory Reads) occurring in those two
calls to strstr.  We believe the only way UMRs can occur in strstr is
if the buffer "buf" is not NUL terminated.

Solaris's sysinfo(2) man page says:

> SYNOPSIS
>       #include <sys/systeminfo.h>
>       long sysinfo(int command, char *buf, long count);

> RETURN VALUES
> 
> Upon successful completion, the value returned indicates the buffer size in 
> bytes required to hold the complete value and the terminating null character.
> If this value is no greater than the value passed in count, the entire string
> was copied. If this value is greater than count, the string copied into buf
> has been truncated to count -1 bytes plus a terminating null character.
> 
> Otherwise, -1 is returned and errno is set to indicate the error.

Notice that the above text asserts that the string copied into buf will
contain a "terminating null character", unless the returned value is -1.
Nevertheless, Purify's output seems to suggest it is not NUL terminated.

Work around: NUL pad the result in buf before calling strstr.
Assignee: nobody → nelson
Status: NEW → ASSIGNED
Attachment #285202 - Flags: review?(julien.pierre.boogz)
Attachment #285202 - Flags: review?(julien.pierre.boogz) → review+
On trunk:
Checking in freebl/loader.c;
new revision: 1.39; previous revision: 1.38

I'll commit on branch after I see trunk stay green.
Checking in freebl/loader.c;
new revision: 1.26.2.7; previous revision: 1.26.2.6
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Priority: -- → P2
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: