From nobody@FreeBSD.org  Fri Feb 11 01:46:34 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B221116A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 11 Feb 2005 01:46:34 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9B7DC43D1D
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 11 Feb 2005 01:46:34 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j1B1kYd6021383
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 11 Feb 2005 01:46:34 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id j1B1kYwS021382;
	Fri, 11 Feb 2005 01:46:34 GMT
	(envelope-from nobody)
Message-Id: <200502110146.j1B1kYwS021382@www.freebsd.org>
Date: Fri, 11 Feb 2005 01:46:34 GMT
From: Ed Maste <emaste@phaedrus.sandvine.ca>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [PATCH] strnstr(3) can read beyond specified length
X-Send-Pr-Version: www-2.3

>Number:         77369
>Category:       misc
>Synopsis:       [PATCH] strnstr(3) can read beyond specified length
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    pjd
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 11 01:50:19 GMT 2005
>Closed-Date:    Fri Feb 11 21:08:25 GMT 2005
>Last-Modified:  Fri Feb 11 21:08:25 GMT 2005
>Originator:     Ed Maste
>Release:        5.3-RELEASE-p2
>Organization:
Sandvine Inc.
>Environment:
>Description:
strstr(3) states
The strnstr() function locates the first occurrence of the null-terminated string little in the string big, where not more than len characters are searched.

(It does not explicitly mention whether string big must be null terminated or not.)  However, strnstr may actually read one character more than len if the string is not null-terminated.
>How-To-Repeat:
strnstrtest.c:
#include <stdio.h>
#include <string.h>
#define PAGE_SIZE 4096
int main(int argc, char *argv[])
{
    char *str;
    char *buf=malloc(PAGE_SIZE);
    memset(buf, '-', PAGE_SIZE);
    str=strnstr(buf, "little", PAGE_SIZE);
    printf("strnstr returned %p\n", str);
}

$ cc -g strnstrtest.c -o strnstrtest
$ ./strnstrtest
Segmentation fault (core dumped)

>Fix:
--- src/lib/libc/string/strnstr.c.orig
+++ src/lib/libc/string/strnstr.c
@@ -60,7 +60,7 @@
                len = strlen(find);
                do {
                        do {
-                               if ((sc = *s++) == '\0' || slen-- < 1)
+                               if (slen-- < 1 || (sc = *s++) == '\0')
                                        return (NULL);
                        } while (sc != c);
                        if (len > slen)

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->pjd 
Responsible-Changed-By: pjd 
Responsible-Changed-When: Fri Feb 11 20:56:18 GMT 2005 
Responsible-Changed-Why:  
I'll take this one. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=77369 
State-Changed-From-To: open->closed 
State-Changed-By: pjd 
State-Changed-When: Fri Feb 11 21:07:54 GMT 2005 
State-Changed-Why:  
Fixed in -CURRENT, MFC after 1 week, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=77369 
>Unformatted:
