[fpc-pascal] Bugs in StrToHostAddr6 in sockets unit
Noel Duffy
noelduffy at xtra.co.nz
Sun May 3 12:20:42 CEST 2020
On Sun, 3 May 2020 09:57:46 +0200 (CEST) Michael Van Canneyt
<michael at freepascal.org> wrote:
>
> On Sun, 3 May 2020, Noel Duffy via fpc-pascal wrote:
>>
>> The problem is that the StrToHostAddr6 function doesn't set its return
>> value until the end of the function. If a parse error occurs
>> mid-function, it zeroes the record in which it's writing the result but
>> exits without setting the function return value. What gets returned
>> depends on what's on the stack.
>>
>> I could have sworn that fpc would detect a function exiting without
>> setting a return value, but clearly 3.0.4 doesn't.
>
> It checks if the result is assigned. This is done;
> But it does not check this for every exit, as far as I know it never has.
That seems like it would be a valuable feature to have. I am not certain
what's contained in an uninitialized variable that gets returned from a
function but I'd guess there's a risk of information leakage.
The way return values from functions get set is one part of the Pascal
language I dislike.
>> 2. The second problem is that a colon-separated string containing
>> hexadecimal values of any length will be parsed and treated as valid by
>> StrToHostAddr6. E.g, it will parse a string like
>> "fe80ca2f1::906e:9d2f:a520:4172". The sample program produces this
>> output for this string:
>>
>> "fe80ca2f1::906e:9d2f:a520:4172" ->
>> A2-F1-00-00-00-00-00-00-90-6E-9D-2F-A5-20-41-72-
>>
>> For the part before the first colon, it has discarded all but the last
>> two bytes, A2 and F1. But it should not have accepted this string at
>> all. There can be only four characters between the colons.
>
> If you send a patch for this, I'll apply it.
Sure I can take a stab at this. Do you normally get people to open a bug
against which to post the patch? I'm not at all familiar with
contributing to fpc, I'm afraid, so please bear with me! Also, if
there's information on unit testing for library functions and
procedures, that would be very helpful.
More information about the fpc-pascal
mailing list