Explicitly document and test for NULL input case.

diff --git a/src/lib/util/value.c b/src/lib/util/value.c
index b3c2d1c57b13874485671b2d4009871e5c8f01af..e201d36e4fdb0e47e693b2c8d64525cc44fa11e1 100644 (file)
--- a/src/lib/util/value.c
+++ b/src/lib/util/value.c
@@ -3802,7 +3802,7 @@ int fr_value_box_bstr_realloc(TALLOC_CTX *ctx, char **out, fr_value_box_t *dst,
  * @param[in] ctx      to allocate any new buffers in.
  * @param[in] dst      to assign buffer to.
  * @param[in] enumv    Aliases for values.
- * @param[in] src      a string.
+ * @param[in] src      a string.  May be NULL only if len == 0.
  * @param[in] len      of src.
  * @param[in] tainted  Whether the value came from a trusted source.
  */
@@ -3811,6 +3811,12 @@ int fr_value_box_bstrndup(TALLOC_CTX *ctx, fr_value_box_t *dst, fr_dict_attr_t c
 {
        char const      *str;
 
+       if (unlikely((len > 0) && !src)) {
+               fr_strerror_printf("Invalid arguments to %s.  Len > 0 (%zu) but src string was NULL",
+                                  __FUNCTION__, len);
+               return -1;
+       }
+
        str = talloc_bstrndup(ctx, src, len);
        if (!str) {
                fr_strerror_const("Failed allocating string buffer");