[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [tor/master] scan-build: memarea_strndup() undefined behavior
commit 3b1f7f75a7efa51ae5549a6413e90066cfe307a8
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date: Sat Apr 19 13:16:56 2014 -0400
scan-build: memarea_strndup() undefined behavior
The memarea_strndup() function would have hit undefined behavior by
creating an 'end' pointer off the end of a string if it had ever been
given an 'n' argument bigger than the length of the memory ares that
it's scanning. Fortunately, we never did that except in the unit
tests. But it's not a safe behavior to leave lying around.
---
src/common/memarea.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/src/common/memarea.c b/src/common/memarea.c
index e2d07fc..bcaea09 100644
--- a/src/common/memarea.c
+++ b/src/common/memarea.c
@@ -291,14 +291,11 @@ memarea_strdup(memarea_t *area, const char *s)
char *
memarea_strndup(memarea_t *area, const char *s, size_t n)
{
- size_t ln;
+ size_t ln = 0;
char *result;
- const char *cp, *end = s+n;
tor_assert(n < SIZE_T_CEILING);
- for (cp = s; cp < end && *cp; ++cp)
+ for (ln = 0; ln < n && s[ln]; ++ln)
;
- /* cp now points to s+n, or to the 0 in the string. */
- ln = cp-s;
result = memarea_alloc(area, ln+1);
memcpy(result, s, ln);
result[ln]='\0';
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits