This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: glibc segfault on "special" long double values is _ok_!?
- From: Paul Mackerras <paulus at samba dot org>
- To: Andreas Schwab <schwab at suse dot de>
- Cc: Jim Meyering <jim at meyering dot net>, Ulrich Drepper <drepper at redhat dot com>, bug-gnulib at gnu dot org, libc-alpha at sourceware dot org
- Date: Thu, 7 Jun 2007 08:51:42 +1000
- Subject: Re: glibc segfault on "special" long double values is _ok_!?
- References: <87y7ixb6wb.fsf@rho.meyering.net> <jeabvdmepm.fsf@sykes.suse.de>
Andreas Schwab writes:
> Jim Meyering <jim@meyering.net> writes:
>
> > I'm interested, because I don't want my applications to segfault on such
> > inputs. Sure it may look a little far-fetched, but I think it's not.
> > Imagine such a bit pattern being injected into a network data stream
> > that is then printed as a long double. Just printing an arbitrary
> > "long double" should not make a server vulnerable to a DoS attack.
>
> In which way is this different from passing NULL to strlen?
In that long doubles are scalar values while strlen's argument is a
pointer value. In general with scalars there is no value whose
meaning or effect is undefined, unlike pointers.
If glibc can indeed be made to segfault just by doing printf on some
particular long double value then I think that is worth reporting as a
security vulnerability.
Paul.