Wireshark-dev: [Wireshark-dev] strlen() and NULL pointer checks
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Mon, 16 May 2011 16:18:40 -0400
Hi folks,

Every once in a while, I do some fuzz testing on a Solaris/SPARC system. When I first did it I was primarily worried about getting bus errors (due to casts increasing alignment requirements), but usually what I find is another case of what I fixed in r37181. (Fortunately, I have not gotten bus errors.)

The backtrace for that one was:

#0  0xfc4b2150 in strlen () from /usr/lib/libc.so.1
#1  0xfc51d704 in _ndoprnt () from /usr/lib/libc.so.1
#2  0xfc51fe24 in vsnprintf () from /usr/lib/libc.so.1
#3 0xfd19c07c in proto_tree_set_representation_value (pi=0xff850be8, format=0xfe6d2c48 "(%s) Type %u: Value (hex bytes): %s", ap=0xffbfdb50) at /Wireshark/source/epan/proto.c:3651 #4 0xfd190184 in proto_tree_add_bytes_format_value (tree=0xff850ba0, hfindex=48268, tvb=0x507e84, start=210, length=4, start_ptr=0x0, format=0xfe6d2c48 "(%s) Type %u: Value (hex bytes): %s") at /Wireshark/source/epan/proto.c:1908 #5 0xfd8ab260 in dissect_v9_v10_pdu_data (tvb=0x507e84, pinfo=0xffbff1c8, pdutree=0xff850ba0, offset=210, tplt=0xff461a10, hdrinfo=0xffbfdee0, fields_type=TF_ENTRIES) at /Wireshark/source/epan/dissectors/packet-netflow.c:4791


The basic problem is that Solaris' strlen() seg-faults if given a NULL pointer whereas a lot of other implementations just return 0. Unfortunately glib does not appear to provide a safe alternative.

To avoid me being the only one doing this test, I have half-seriously contemplated:

1) building a version of strlen() which seg-faults when given a NULL pointer
2) building it into a shared library
3) using LD_PRELOAD to use this library when fuzz testing (at least on systems that support LD_PRELOAD)

Is there a better way?  Or better yet, a proper solution?

Regards,
-Jeff