[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bug in checkpassword code



Dear List,

After much pain, I appear to have found a bug in the checkpassword-sql
implementaiton.

the string allocation routines use realloc to increase the memory space if your
query is too long.  However the form of these realloc statements is

realloc(stra->s, size);
realloc(stra->s, stra->strlen+len);
realloc(stra->s,stra->s,stra->strlen+1);

From the man page for realloc.

void *realloc(void *ptr, size_t size);

RETURN VALUE
 realloc() returns a pointer to the newly  allocated  memory,  which  is
       suitably  aligned  for  any  kind of variable and may be different from
       ptr, or NULL if the request fails.

The the code shown will not correctly resize the array's on linux given the
information shown from the man page.

They should more likely be.
stra->s = realloc(stra->s, size);
stra->s = realloc(stra->s, stra->strlen+len);
stra->s = realloc(stra->s,stra->s,stra->strlen+1);


However this does run the risk of stra->s becoming a null pointer if the realloc
fails.  But givent he coding, I'm not sure on the best way to resolve that
unless you just fail, and exit the program.

This problem does not become apparent until you have gone past the initially
allocated size for a string, as realloc is never called in that situation.

Regards

Russell Smith



-------------------------------------------------------