Your message dated Fri, 19 Dec 2014 17:24:11 -0500
with message-id <[email protected]>
and subject line Re: [Pkg-gnupg-maint] Bug#773427: Strange checking bug
has caused the Debian Bug report #773427,
regarding Strange checking bug
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
773427: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773427
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gnupg2
Version: 2.1.1
Severity: normal
Hi,
In stringhelp.c, line 525-526, no check is made to see if home_buffer is not
NULL, like it is checked if xmode is false, on line 530.
Thanks,
--
-- Joshua Rogers <https://internot.info/>
--- End Message ---
--- Begin Message ---
Control: notfound 773427 2.1.1
in https://bugs.debian.org/773427 Joshua Rogers wrote:
> In stringhelp.c, line 525-526, no check is made to see if home_buffer is not
> NULL, like it is checked if xmode is false, on line 530.
The lines you're describing are:
525 if (xmode)
526 home_buffer = jnlib_xmalloc (n);
527 else
528 {
529 home_buffer = jnlib_malloc (n);
530 if (!home_buffer)
531 {
532 jnlib_free (name);
533 return NULL;
534 }
535 }
This is inside do_make_filename(), which starts with:
400 /* xmode 0 := Return NULL on error
401 1 := Terminate on error
402 2 := Make sure that name is absolute; return NULL on error
403 3 := Make sure that name is absolute; terminate on error
404 */
405 static char *
406 do_make_filename (int xmode, const char *first_part, va_list arg_ptr)
407 {
408 const char *argv[32];
409 int argc;
410 size_t n;
411 int skip = 1;
412 char *home_buffer = NULL;
413 char *name, *home, *p;
414 int want_abs;
415
416 want_abs = !!(xmode & 2);
417 xmode &= 1;
So by line 417, xmode is 1 if do_make_filename is expected to terminate
on error, and 0 otherwise. accessing a NULL pointer is guaranteed to
result in a segfault, which would terminate the process.
You can see the same idiom in other places in the same function, like:
452 if (xmode)
453 user = jnlib_xstrdup (first_part+1);
454 else
455 {
456 user = jnlib_strdup (first_part+1);
457 if (!user)
458 return NULL;
459 }
I'm closing this report, because the behavior is clearly intentional,
and is not a bug. Code should not invoke do_make_filename with the low
bit of xmode set without expecting process termination on error.
--dkg
signature.asc
Description: OpenPGP digital signature
--- End Message ---
