ODMA Incident Report

X000801: ODMA32.dll Undefended NULL-Pointers

Last updated 2000-08-07-14:45 -0700 (pdt)

Category: Vulnerability - Warning Incident ID: X000801
Priority: 3 - Non-Critical Status: Investigate Further and Document
Component: ODMA32.dll, all current versions up to 2.0.0
Repaired in: none
Related information:
X000806

 

Assigned To: Dennis E. Hamilton Reported By: 
Dennis Hamilton 2000-08-04
Date Opened: 2000-08-04 Date Closed: none

Summary:

An application that uses the ODMA API incorrectly can induce a crash in any version of ODMA32.dll, the Connection Manager for Win32.  No direct damage occurs, but users will lose any work in progress and the DMS being used may have incomplete materials in its collection. 

There are no reported production incidents attributable to this particular defect.  It is documented as a warning for future trouble-shooting and for maintenance of Connection Manager implementations.

This condition is most likely to occur in development or maintenance of an ODMA-aware application.  The conditions necessary to provoke the crash are unlikely in well-behaved applications in production usage.

Analysis:

The ODMA Connection Manager must examine the ODMA Document IDs that are provided as parameters for a number of ODMA 2.0 API functions.  This is necessary to determine the DMS ID of the DMS Integration to use in the operation.

In the cases where the Document ID parameter is not optional, the ODMA Connection Manager 1.0.0, 1.5.0, and 2.0.0 implementations all fail to defend against erroneous NULL values for an lpszDocId parameter before using its value.

ODMA32.dll will terminate with a fatal error when it receives a NULL value in any operation having a required lpszDocId parameter.  This is the result of performing strlen(NULL) in function ODMClient::ConnectDocId of Connection Manager module Client.cpp.

Odma.dll will operate successfully, providing an appropriate ODMSTATUS error code.  This is because *NULL is arranged to be 0 on MS-DOS and Win16, so that the result of strlen(NULL) is the same as strlen(""), namely 0.

Actions:

  1. Identify and report those ODMA Connection Manager functions that fail to defend against NULL string-pointer parameters.
  2. Confirm that strlen(NULL) is not well-defined for ANSI Standard C and that strlen(NULL) fails for a number of ANSI Standard C string.h libraries.
  3. Demonstrate that this failure actually occurs with the current ODMA 2.0 connection manager implementation, ODMA32.dll version 2.0.0.
  4. Describe appropriate work-around and safeguard techniques.
  5. Schedule correction in the next rebuild of ODMA Connection Manager implementations.

Please provide any relevant information and feedback to the ODMA Tech List or directly to the AIIM DMware Technical Coordinator.


created 2000-08-04-13:47 -0700 (pdt) by orcmid
$$Author: Orcmid $
$$Date: 00-08-07 14:44 $
$$Revision: 5 $