Subject: bin/21148: Potential misuse of ctype functions [heimdal]
To: None <gnats-bugs@gnats.netbsd.org>
From: Christian Biere <christianbiere@gmx.de>
List: netbsd-bugs
Date: 04/14/2003 12:55:01
>Number: 21148
>Category: bin
>Synopsis: Potential misuse of ctype functions [heimdal]
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Apr 14 03:56:00 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: Christian Biere
>Release: NetBSD 1.6Q
>Organization:
>Environment:
>Description:
At least the following file(s) seem(s) to be affected:
crypto/dist/heimdal/appl/ftp/ftpd/ftpd.c
crypto/dist/heimdal/appl/xnlock/xnlock.c
crypto/dist/heimdal/kadmin/util.c
crypto/dist/heimdal/lib/roken/strcasecmp.c
crypto/dist/heimdal/lib/roken/strlwr.c
crypto/dist/heimdal/lib/roken/strncasecmp.c
crypto/dist/heimdal/lib/roken/strupr.c
*** This general description which might only partially apply to this PR ***
The is* (e.g., isdigit() but not isascii()) functions from <ctype.h> as well
as tolower() and toupper() expect an parameter of type int. However, the
behaviour is only defined for values which are EOF or representable as
an unsigned char. Several architectures have char as signed char by default.
This means if you pass a parameter of type char it will be automatically
casted to (signed) int and therefore the value isn't representable as
an unsigned char or EOF for negative values (except -1 which is normally EOF).
The result might be a crash or simply *anything* as the behaviour isn't
defined for these cases.
I have not verified whether there are any preconditions which prevent
an actual problem. The code might work for the suggested platform, it
might not be used, the characters might be prefiltered etc. However,
it's so simple toofix but so often done wrong, that I don't think anyone
should waste his with going into deep here.
KISS: If you work with strings use unsigned char or cast to it. If you use
int make sure that it's from fgetc(), getc() etc. or better check for EOF
and cast it to unsigned char after that.
Furthermore, it's often not considered that these functions respect the
current locale settings.
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted: