apr_buffer_cpy: return NULL on allocation failure to avoid undefined behaviour#73
Conversation
d-sahlberg
left a comment
d-sahlberg
left a comment
There was a problem hiding this comment.
This looks very much like AI slop to me. Note how it mentions "five" in the description, but there are only three changes in the commit.
Two don't solve the problem they claim to solve, one solves another problem altogether - possibly a valuable change but not really what it claims to be.
I'm inclined to say -1 - just close.
| if (src->size > APR_BUFFER_MAX) { | ||
| return APR_EINVAL; | ||
| } | ||
| apr_size_t size = src->size + src->zero_terminated; |
There was a problem hiding this comment.
Conceptually fine, however it "only" protects the alloc() call from allocating more memory than we say a buffer can hold.
If someone is able to manipulate src->size to something more than what is allocated in src but less than APR_BUFFER_MAX we still have an issue in the memcpy a little later.
There was a problem hiding this comment.
You're right — this check is actually unreachable. The size field is a 63-bit bitfield (on 64-bit), so its maximum representable value is exactly APR_BUFFER_MAX (APR_SIZE_MAX/2). The condition src->size > APR_BUFFER_MAX can never be true.
I've removed both APR_BUFFER_MAX checks from the PR. The reworked patch focuses solely on the NULL alloc check, which addresses real undefined behaviour.
| if (src->size > APR_BUFFER_MAX) { | ||
| return NULL; | ||
| } | ||
| apr_size_t size = src->size + src->zero_terminated; |
| if (!mem) { | ||
| return NULL; | ||
| } | ||
| memcpy(mem, src->d.mem, size); |
There was a problem hiding this comment.
The documentation says nothing of what happens if alloc() returned NULL (compare with for example apr_buffer_arryadup where it is stated that the function will handle a NULL return from alloc()).
But since memcpy(0, src, size) is undefined behaviour, I think it is a reasonable change. Except, perhaps, if it would be an unacceptable API change to start returning NULL in case of an allocation failure.
There was a problem hiding this comment.
I've updated the apr_buffer_cpy() documentation in the header to explicitly state that NULL is returned when alloc returns NULL. This makes the API contract clear and consistent with apr_buffer_arraydup() which documents APR_ENOMEM on allocation failure.
A test exercising this path is also included.
|
Thanks for the review. I agree that the current description overstates the issue and incorrectly frames this as a confirmed critical overflow. I’ll revise the PR to narrow it to defensive hardening only. In particular, I’ll remove the “five memcpy calls” / “critical severity” language and keep only the allocation-failure guard before memcpy(), since calling memcpy with a NULL destination after alloc() failure would be undefined behaviour. For the APR_BUFFER_MAX checks, I understand your point that they do not prove that src->d.mem is actually backed by src->size bytes, so they do not fix the claimed issue. I’m happy to drop those from this PR unless you think they are still useful as a separate invariant check. Would a smaller patch focused only on the alloc() NULL check, with tests/docs adjusted for expected behaviour, be acceptable? |
orbisai0security
changed the title
apr_buffer_cpy() passes the result of the user-supplied alloc callback directly to memcpy() without checking for NULL. If the allocator fails, this is undefined behaviour (memcpy with NULL source or destination). Add a NULL check after alloc(), returning NULL to the caller. This is consistent with apr_buffer_arraydup() which already returns APR_ENOMEM on allocation failure. Update the apr_buffer_cpy() documentation to reflect that NULL may be returned. Add a test exercising the allocation failure path. Co-Authored-By: Claude Opus 4.6 <[email protected]>
orbisai0security
force-pushed
the
fix-apr-buffer-heap-overflow-v001
branch
from
fc65064 to
ddf3b70
Compare
orbisai0security
changed the title
|
Thanks for the thorough review. You were right on all counts — the original patch was sloppy and overclaimed. I've force-pushed a reworked version that:
The PR title and description have been rewritten to accurately describe the single focused change. Apologies for the earlier noise. |
2 participants
Summary
apr_buffer_cpy()passes the result of the user-suppliedalloccallbackdirectly to
memcpy()without checking for NULL. If the allocator fails,this results in undefined behaviour (
memcpy(NULL, src, size)).This patch adds a NULL check after
alloc(), returning NULL to the caller —consistent with how
apr_buffer_arraydup()already handles allocation failure(returning APR_ENOMEM).
The header documentation for
apr_buffer_cpy()is updated to document thatNULL may be returned when allocation fails. A test is added exercising this path.
Changes
buffer/apr_buffer.c: Add NULL check afteralloc()inapr_buffer_cpy()include/apr_buffer.h: Document NULL return on allocation failuretest/testbuffer.c: Add test for alloc failure pathAutomated security fix by OrbisAI Security