From gvs@road.demos.su  Mon May 26 04:35:02 2003
Return-Path: <gvs@road.demos.su>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7BF0237B401
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 26 May 2003 04:35:02 -0700 (PDT)
Received: from road.demos.su (road.demos.su [194.87.2.211])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6CE4243F85
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 26 May 2003 04:35:01 -0700 (PDT)
	(envelope-from gvs@road.demos.su)
Received: from road.demos.su (localhost [127.0.0.1])
	by road.demos.su (8.12.8/8.12.8) with ESMTP id h4QBetww073194
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 26 May 2003 15:40:55 +0400 (MSD)
	(envelope-from gvs@road.demos.su)
Received: (from gvs@localhost)
	by road.demos.su (8.12.8/8.12.8/Submit) id h4QBetQx073193;
	Mon, 26 May 2003 15:40:55 +0400 (MSD)
Message-Id: <200305261140.h4QBetQx073193@road.demos.su>
Date: Mon, 26 May 2003 15:40:55 +0400 (MSD)
From: Seva Gluschenko <gvs@rinet.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: str[n][case]cmp may cause segmentation violation with NULL pointers passed
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         52691
>Category:       bin
>Synopsis:       str{n}{case}cmp may cause segmentation violation with NULL pointers passed
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 26 04:40:17 PDT 2003
>Closed-Date:    Mon May 26 13:53:04 PDT 2003
>Last-Modified:  Wed Jan 14 20:29:03 UTC 2009
>Originator:     Seva Gluschenko
>Release:        FreeBSD 4.8-RC i386
>Organization:
JSC Demos-Internet
>Environment:
System: FreeBSD road.demos.su 4.8-RC FreeBSD 4.8-RC #2: Tue Mar 4 15:43:13 MSK 2003 gvs@road.demos.su:/usr/local/obj/usr/local/src/sys/ROAD i386


	
>Description:
	Using libc's implementation of case-insensitive string comparison (str[n][case]cmp)
	is possible to have the segmentation violation because NULL pointers aren't checked
	and *p++ is used blindly. Any occasional call to these functions with one of string
	pointers is equal to NULL may catch signal 11 and cause program to die.
>How-To-Repeat:

	create the simplest test:

#include <string.h>

int main() {

	char *s1 = NULL, *s2 = NULL;

	return strcmp(s1, s2);
}

	> gcc -o test test.c
	> ./test
	Segmentation fault (core dumped)
>Fix:
	Apply patch below, rebuild and reinstall libc. Don't use
	str[n][case]cmp from libc until it's fixed unless you want your
	projects to die unexpectedly.

--- /usr/src/lib/libc/string/strcmp.c.orig	Mon May 26 15:35:59 2003
+++ /usr/src/lib/libc/string/strcmp.c	Mon May 26 15:37:05 2003
@@ -52,6 +52,8 @@
 strcmp(s1, s2)
 	register const char *s1, *s2;
 {
+	if (s1 == NULL || s2 == NULL)
+		return (0);
 	while (*s1 == *s2++)
 		if (*s1++ == 0)
 			return (0);
--- /usr/src/lib/libc/string/strncmp.c.orig	Mon May 26 15:35:52 2003
+++ /usr/src/lib/libc/string/strncmp.c	Mon May 26 15:36:36 2003
@@ -48,7 +48,7 @@
 	register size_t n;
 {
 
-	if (n == 0)
+	if (n == 0 || s1 == NULL || s2 == NULL)
 		return (0);
 	do {
 		if (*s1 != *s2++)
--- /usr/src/lib/libc/string/strcasecmp.c.orig	Mon May 26 15:01:42 2003
+++ /usr/src/lib/libc/string/strcasecmp.c	Mon May 26 15:03:54 2003
@@ -49,6 +49,7 @@
 strcasecmp(s1, s2)
 	const char *s1, *s2;
 {
+    if (s1 != NULL || s2 != NULL) {
 	register const u_char
 			*us1 = (const u_char *)s1,
 			*us2 = (const u_char *)s2;
@@ -57,6 +58,9 @@
 		if (*us1++ == '\0')
 			return (0);
 	return (tolower(*us1) - tolower(*--us2));
+    }
+    return 0;
+
 }
 
 int
@@ -64,7 +68,7 @@
 	const char *s1, *s2;
 	register size_t n;
 {
-	if (n != 0) {
+	if (s1 != NULL && s2 != NULL && n != 0) {
 		register const u_char
 				*us1 = (const u_char *)s1,
 				*us2 = (const u_char *)s2;
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: des 
State-Changed-When: Mon May 26 13:53:02 PDT 2003 
State-Changed-Why:  
The bug is in the application that passes NULL to strcmp. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=52691 
>Unformatted:
