From: Rich Felker <dalias@libc.org>
To: musl@lists.openwall.com
Subject: Re: [PATCH] Implement glibc *_chk interfaces for ABI compatibility.
Date: Wed, 17 Jun 2015 20:40:41 -0400 [thread overview]
Message-ID: <20150618004040.GK1173@brightrain.aerifal.cx> (raw)
In-Reply-To: <CAMAJcuAQGfkiDMQfV72JNv+QgOkGZ1T5QG8V=rk09vnf9y7QjQ@mail.gmail.com>
On Wed, Jun 17, 2015 at 02:07:08PM -0500, Josiah Worcester wrote:
> >> +size_t __wcrtomb_chk(char *restrict s, wchar_t wc, mbstate_t *restrict st, size_t slen)
> >> +{
> >> + if (slen < MB_CUR_MAX) a_crash();
> >> + return wcrtomb(s, wc, st);
> >> +}
> >
> > i think this can cause a false positive crash
> > but glibc seems to do the same..
> >
> > (eg some api passes wchar_t* and the exact mb encoded length of
> > a string so the output s can be safely shorter than max mb length)
> >
> I'm not sure if we should match glibc here or do a better check.
>
> Thanks for the input. I'm going to wait a bit before posting a new
> patch, though, in hopes that more comments are forthcoming.
This code is definitely wrong as-is; for example:
char c;
wcrtomb(&c, L'0', st)
is perfectly valid (albeit useless) code. Other examples are possible
too. I think a decent check would be:
size_t r = wcrtomb(s, wc, st);
if (r+1 > slen+1) a_crash();
return r;
This allows an overflow of up to 3 bytes to occur before the trap, but
there's no way a valid dest buffer could be within 3 bytes of this
function's or wcrtomb's stack, so you should safely reach the a_crash
even on overflow.
The alternative would be using a temp buffer of size MB_LEN_MAX and
then performing memcpy to the caller's buffer if the result fits or
a_crash if not.
Rich
next prev parent reply other threads:[~2015-06-18 0:40 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-17 2:48 Josiah Worcester
2015-06-17 9:30 ` Szabolcs Nagy
2015-06-17 19:07 ` Josiah Worcester
2015-06-18 0:40 ` Rich Felker [this message]
2015-06-20 20:32 ` Rich Felker
2015-08-30 23:14 ` Rich Felker
2015-08-31 1:10 ` Isaac Dunham
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150618004040.GK1173@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).