Closed Bug 400119 Opened 17 years ago Closed 17 years ago

Fix UMRs in getLibName()

Categories

(NSS :: Libraries, defect, P2)

Product:
NSS
Component:
Libraries
Platform:
Sun
Solaris
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.11.8

People

(Reporter: nelson, Assigned: nelson)

References

(
URL
)

Details

Attachments

(1 file)

patch v1, ensure buf is NUL terminated
1010 bytes, patch
julien.pierre
: review+
Details | Diff | Splinter Review
NSS function getLibName calls sysinfo() and then uses strstr to scan the result buffer for a certain string. The code is: > 74 const static char int_hybrid_isa[] = "sparcv8plus"; > 75 const static char fpu_hybrid_isa[] = "sparcv8plus+vis"; > 82 char * found_int_hybrid; > 83 char * found_fpu_hybrid; > 84 long buflen; > 85 char buf[256]; > 86 > 87 buflen = sysinfo(SI_ISALIST, buf, sizeof buf); > 88 if (buflen <= 0) > 89 return NULL; > 97 found_int_hybrid = strstr(buf, int_hybrid_isa); > 98 found_fpu_hybrid = strstr(buf, fpu_hybrid_isa); Purify reports UMR (Uninitialized Memory Reads) occurring in those two calls to strstr. We believe the only way UMRs can occur in strstr is if the buffer "buf" is not NUL terminated. Solaris's sysinfo(2) man page says: > SYNOPSIS > #include <sys/systeminfo.h> > long sysinfo(int command, char *buf, long count); > RETURN VALUES > > Upon successful completion, the value returned indicates the buffer size in > bytes required to hold the complete value and the terminating null character. > If this value is no greater than the value passed in count, the entire string > was copied. If this value is greater than count, the string copied into buf > has been truncated to count -1 bytes plus a terminating null character. > > Otherwise, -1 is returned and errno is set to indicate the error. Notice that the above text asserts that the string copied into buf will contain a "terminating null character", unless the returned value is -1. Nevertheless, Purify's output seems to suggest it is not NUL terminated. Work around: NUL pad the result in buf before calling strstr.
Assignee: nobody → nelson
Status: NEW → ASSIGNED
Attachment #285202 - Flags: review?(julien.pierre.boogz)
Attachment #285202 - Flags: review?(julien.pierre.boogz) → review+
On trunk: Checking in freebl/loader.c; new revision: 1.39; previous revision: 1.38 I'll commit on branch after I see trunk stay green.
Checking in freebl/loader.c; new revision: 1.26.2.7; previous revision: 1.26.2.6
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Priority: -- → P2
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: