Re: wcstok(3) code sample

From: "Stefan Kanthak" <stefan.kanthak@nexgo.de>
To: "Alejandro Colomar \(man-pages\)" <alx.manpages@gmail.com>
Cc: <linux-man@vger.kernel.org>, <mtk.manpages@gmail.com>
Subject: Re: wcstok(3) code sample
Date: Mon, 26 Jul 2021 15:13:29 +0200	[thread overview]
Message-ID: <400F0D31E91143D3A0DBA2335E4D18BB@H270> (raw)
In-Reply-To: <69a547a9-7d25-73bf-e1f4-7cfbfdcb79aa@gmail.com>

Hi Alex,

you wrote Sunday, July 25, 2021 10:25 PM:

> Hi Stefan,
> 
> On 7/12/21 11:07 AM, Stefan Kanthak wrote:
>> Hi,
>> 
>> the examples section of wcstok(3) shows the following code
>> which exhibits undefined behaviour and typically segfaults:
>> 
>> <https://man7.org/linux/man-pages/man3/wcstok.3.html#EXAMPLES>
>> 
>> |  wchar_t *wcs = ...;
>> |  wchar_t *token;
>> |  wchar_t *state;
>> |  for (token = wcstok(wcs, " \t\n", &state);
>> |       token != NULL;
>> |       token = wcstok(NULL, " \t\n", &state)) {
>> |       ...
>> |  }
>> 
>> The string literal pointed to by wcs is read-only, and an
>> attempt to modify a string literal results in undefined
>> behaviour; wcstok() but writes NULs into its input string.
>> 
>> FIX: replace the first line with either
>> 
>> |  wchar_t *wcs = strdup(...);
>> 
>>       or
>> 
>> |  wchar_t wcs[] = ...;
> 
> That code is a bit unfortunate.

Yes.

> It is not a complete program, so it can be interpreted in different ways,
> one of them the one you said, which results in UB.

Correct: I interpret such snippets in their worst case and notice olny/first
their vulnerabilities or UB.

> I guess the intent of the code was that wcs was assigned a pointer to a 
> wchar_t * (not a literal), and therefore, it would be correct.

Yes.

> The code predates version control, so we'll never know...
> 
> Would you mind sending a complete example?

Just add a comment which tells that the string pointed to by wcs must not
be a literal (or read-only).

|  wchar_t *wcs[] = ...;    // must not point to a literal or read-only memory

regards
Stefan