Possibility of Segmentation Fault on smbd/trans2.c

okuyamak at dd.iij4u.or.jp okuyamak at dd.iij4u.or.jp
Thu Jan 18 05:05:49 GMT 2001

>>>>> "MBA" == Michael B Allen <mballen at erols.com> writes:
MBA> But hey, it works right. That seems to be the theme here :~)
>> Maybe this is because we were running memcpy() even if length being
>> 0. I thought it's implementation dependent about how memcpy() will
>> work when given length is 0.
MBA> The length parameter of memcpy can in fact be zero. I would imagine that
MBA> it may also be NULL as NULL is defined by the c standard as a macro for
MBA> (void *)0 and therefore n > 0 will fail.

1) In source, dest is not exactly NULL. It's really
   NULL + offset  ( I mean   &(((char *)NULL)[offset])   is what it's like )
   So, even if memcpy have NULL checking, we still have chance of
   having Segmentation fault.

2) Hmmmm, according to book named "ANSI-C dictionary", which is written
   in Japanese and it seems like only sold in Japan, said that it's
   implementation dependent against what to do when length is 0.
   Maybe it's simply that this book is wrong.

MBA> I believe you are confusing
MBA> the fact that "If copying takes place between objects that overlap,
MBA> the behavior is undefined."

No, I do know what that means. That's the reason why I only uses memmove()
for memory chunk copying ;p
# To reject simply/stupid mistaes that I usually make.

But at the same time, now-a-day library usually uses exactly same code for
memcpy() and memmove(). So, it's true that it's very hard to detect this
overlapping problem.
Kenichi Okuyama at Tokyo Research Lab. IBM-Japan, Co.

More information about the samba-technical mailing list