Fix possible invalid write and overflow issues in kmemmem, kstrstr and kstrnstr #1980
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixes various issues in the kmemmem() interface and its kstrstr() and kstrnstr() wrappers: * Calling kmemmem(), kstrstr() or kstrnstr() with a zero-length pattern could lead to a zero-length allocation in the ksBM_prep() function and, if that returns a non-NULL `suff` pointer, an invalid write to suff[-1]. Thanks to Harrison Green for reporting this. Fixed by catching zero-length patterns and returning the correct result - a pointer to the start of the input. As an additional optimisation, patterns of length 1 are now passed to memchr() as it's likely to be more efficient in that case. Finally if the pattern is longer that the input, NULL is returned early as it can never match. This is also useful for some of the other changes, as it ensures subtracting the two lengths will never give a negative result. * The kmemmem() interface uses `int` for the sizes of the pattern and input buffers, but the kstrstr() wrapper passed in the output of strlen() which could overflow. The implementation is renamed and altered to use `size_t` for the length of the `str` buffer. kmemmem() is now a simple wrapper around it that handles the possibility of `n` being negative. The length of the `pat` buffer is left as an int as otherwise the type and size of the `prep` array would need to be changed. This would be wasteful as the pattern is very likely to be short. * It was difficult to tell the difference between the algorithm failing because it couldn't allocate memory, or the pattern simply not being present (both returned NULL). This is fixed by providing Karp-Rabin as a backup algorithm. It's fairly simple and doesn't need to allocate any memory so should always work. It's also used to cover the unlikely case of the kstrstr() pattern being longer than INT_MAX. * kstrnstr() did not check for a NUL in the first n bytes of its input. This could lead to it finding false matches beyond the strict end of its input, or possibly reads of uninitialised memory. Fixed by checking for a NUL in the first n bytes and adjusting n if one is found. It also returns NULL if the pattern is longer than the revised n which both avoids unnecessary work and ensures n <= INT_MAX.
Adjusts test_kstring to directly include kstring.c so that it can unit test non-exported internal functions.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes various issues in the
kmemmem()interface and itskstrstr()andkstrnstr()wrappers:Calling
kmemmem(),kstrstr()orkstrnstr()with a zero-length pattern could lead to a zero-length allocation in theksBM_prep()function and, if that returns a non-NULLsuffpointer, an invalid write tosuff[-1]. Thanks to Harrison Green for reporting this.Fixed by catching zero-length patterns and returning the correct result - a pointer to the start of the input.
As an additional optimisation, patterns of length 1 are now passed to
memchr()as it's likely to be more efficient in that case.Finally if the pattern is longer that the input, NULL is returned early as it can never match. This is also useful for some of the other changes, as it ensures subtracting the two lengths will never give a negative result.
The
kmemmem()interface usesintfor the sizes of the pattern and input buffers, but thekstrstr()wrapper passed in the output ofstrlen()which could overflow.The implementation is renamed and altered to use
size_tfor the length of thestrbuffer.kmemmem()is now a simple wrapper around it that handles the possibility ofnbeing negative. The length of thepatbuffer is left as an int as otherwise the type and size of thepreparray would need to be changed. This would be wasteful as the pattern is very likely to be short.It was difficult to tell the difference between the algorithm failing because it couldn't allocate memory, or the pattern simply not being present (both returned NULL).
This is fixed by providing Karp-Rabin as a backup algorithm. It's fairly simple and doesn't need to allocate any memory so should always work. It's also used to cover the unlikely case of the
kstrstr()pattern being longer thanINT_MAX.kstrnstr()did not check for a NUL in the firstnbytes of its input. This could lead to it finding false matches beyond the strict end of its input, or possibly reads of uninitialised memory.Fixed by checking for a NUL in the first
nbytes and adjustingnif one is found. It also returns NULL if the pattern is longer than the revisednwhich both avoids unnecessary work and ensures the pattern length <=INT_MAX.test/test_kstring.cis updated to add some simplekmemmem,kstrstr, andkstrnstrtests. It's also made to includekstring.cdirectly so that it can unit test non-exported internal functions. This allows some tests for the Karp-Rabin implementation to be added.