From: Rich Felker <dalias@libc.org>
To: musl@lists.openwall.com
Subject: Re: New static analysis results
Date: Fri, 5 Sep 2014 14:02:52 -0400 [thread overview]
Message-ID: <20140905180252.GO23797@brightrain.aerifal.cx> (raw)
In-Reply-To: <20140904171357.GB23797@brightrain.aerifal.cx>
On Thu, Sep 04, 2014 at 01:13:58PM -0400, Rich Felker wrote:
> On Thu, Sep 04, 2014 at 08:45:45PM +0400, Alexander Monakov wrote:
> > Hello,
> >
> > I'm happy to report a few new results from running static code analysis on
> > musl (from a tool developed where I work).
> >
> > ctime.c:5
> > localtime(t) may return NULL, but that will cause UB in asctime
>
> Yes, I need to look into what ctime should do in this case though...
Found it:
7.27.3.2 The ctime function
2 The ctime function converts the calendar time pointed to by timer
to local time in the form of a string. It is equivalent to
asctime(localtime(timer))
The standard basically specifies the implementation, so it's clearly
UB if localtime(t) would return a null pointer. Looks like no action
is needed here; the most-desirable-behavior (crash) for UB happens
automatically anyway.
> > regexec.c:253
> > "return REG_NOMATCH;" in GET_NEXT_WCHAR leaks memory allocated for 'buf'
>
> This should be checked, but it sounds likely.
nsz is looking into fixing it.
> > lookup_serv.c:55
> > getnameinfo.c:99
> > pointless "if (!p) continue;" when "if (!*p) continue;" was probably
> > intended
>
> I'd have to look at the code but it's possible the intent was leftover
> from old code that was changed rather than being what you think. But I
> think your proposed change is probably right for the current code.
> Looks low-priority anyway (only affects parsing invalid hosts/services
> files).
Digging up the history was confusing so I'm just fixing them based on
the current code.
For lookup_serv.c, the line was a nop and is not needed. For
getnameinfo.c it seems to be an actual bug that could cause reading
past the end of the line buffer (but not write).
> > fpathconf.c
> > off-by-one error in range check (if (name >= sizeof ...))
>
> Indeed. This should be fixed.
Fixing.
Rich
next prev parent reply other threads:[~2014-09-05 18:02 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-04 16:45 Alexander Monakov
2014-09-04 17:13 ` Rich Felker
2014-09-05 18:02 ` Rich Felker [this message]
2014-09-05 18:39 ` Alexander Monakov
2014-09-05 18:53 ` Rich Felker
2014-09-05 20:50 ` Jens Gustedt
2014-09-05 21:23 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140905180252.GO23797@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).