mailing list of musl libc
 help / color / mirror / Atom feed
* [musl] [PATCH 0/3] mntent: fix parsing lines with optional fields
@ 2021-08-21  8:54 Alyssa Ross
  2021-08-21  8:54 ` [musl] [PATCH libc-test 1/3] functional: add mntent test Alyssa Ross
                   ` (2 more replies)
  0 siblings, 3 replies; 7+ messages in thread
From: Alyssa Ross @ 2021-08-21  8:54 UTC (permalink / raw)
  To: musl; +Cc: Alyssa Ross

This series introduces tests for libc-test that demonstrate a Musl
bug, and follows them with a fix for that bug.

I hope I've done this right!  I wasn't sure where to send libc-test
patches, and I hope combining the libc-test and musl patches into a
single series like this isn't confusing.

-- 
2.32.0


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [musl] [PATCH libc-test 1/3] functional: add mntent test
  2021-08-21  8:54 [musl] [PATCH 0/3] mntent: fix parsing lines with optional fields Alyssa Ross
@ 2021-08-21  8:54 ` Alyssa Ross
  2021-08-21  8:54 ` [musl] [PATCH libc-test 2/3] functional: add mntent test for single-field line Alyssa Ross
  2021-08-21  8:54 ` [musl] [PATCH musl 3/3] mntent: fix parsing lines with optional fields Alyssa Ross
  2 siblings, 0 replies; 7+ messages in thread
From: Alyssa Ross @ 2021-08-21  8:54 UTC (permalink / raw)
  To: musl; +Cc: Alyssa Ross

This only checks reading an fstab from an stream.  I haven't written
tests for either setmntent(), addmntent(), or hasmntnent().

test_getmntent exposes a bug in Musl where lines omitting the final
two fields, which are supposed to be optional according to fstab(5),
are not accepted.  The tests all pass on Glibc.
---
 AUTHORS                 |  1 +
 src/functional/mntent.c | 76 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 77 insertions(+)
 create mode 100644 src/functional/mntent.c

diff --git a/AUTHORS b/AUTHORS
index ff99471..cf2a394 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -5,3 +5,4 @@ John Spencer
 Jens Gustedt
 Alexander Monakov
 Julien Ramseier
+Alyssa Ross
diff --git a/src/functional/mntent.c b/src/functional/mntent.c
new file mode 100644
index 0000000..59d816a
--- /dev/null
+++ b/src/functional/mntent.c
@@ -0,0 +1,76 @@
+// SPDX-License-Identifier: MIT
+
+#define _DEFAULT_SOURCE // for getmntent_r
+
+#include <errno.h>
+#include <mntent.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "test.h"
+
+#define ASSERT(x) do {				 \
+		if (!(x)) {			 \
+			t_error(#x " failed\n"); \
+			exit(EXIT_FAILURE);	 \
+		}				 \
+	} while (0);
+
+#define ERR(fmt, ...) do {					       \
+		t_error(fmt ": %s\n", ##__VA_ARGS__, strerror(errno)); \
+		exit(EXIT_FAILURE);				       \
+	} while (0)
+
+void test_getmntent_empty(void)
+{
+	char fstab[] = "\n";
+	FILE *f = fmemopen((void *)fstab, sizeof fstab - 1, "r");
+	if (!f) ERR("fmemopen");
+	ASSERT(!getmntent(f));
+	ASSERT(endmntent(f) == 1);
+}
+
+void test_getmntent(void)
+{
+	// Checks that the fifth and sixth fields default to 0.
+	char fstab[] = "none /proc proc defaults\n";
+	FILE *f = fmemopen((void *)fstab, sizeof fstab - 1, "r");
+	if (!f) ERR("fmemopen");
+	struct mntent *m = getmntent(f);
+	ASSERT(m);
+	ASSERT(!strcmp(m->mnt_fsname, "none"));
+	ASSERT(!strcmp(m->mnt_dir, "/proc"));
+	ASSERT(!strcmp(m->mnt_type, "proc"));
+	ASSERT(!strcmp(m->mnt_opts, "defaults"));
+	ASSERT(m->mnt_freq == 0);
+	ASSERT(m->mnt_passno == 0);
+	ASSERT(endmntent(f) == 1);
+}
+
+void test_getmntent_r(void)
+{
+	struct mntent m, *r;
+	char fstab[] = "/dev/sda\t/\text4\trw,nosuid\t2\t1\n";
+	char buf[sizeof(fstab)];
+
+	FILE *f = fmemopen((void *)fstab, sizeof fstab - 1, "r");
+	if (!f) ERR("fmemopen");
+
+	r = getmntent_r(f, &m, buf, sizeof buf);
+	ASSERT(r == &m);
+	ASSERT(!strcmp(m.mnt_fsname, "/dev/sda"));
+	ASSERT(!strcmp(m.mnt_dir, "/"));
+	ASSERT(!strcmp(m.mnt_type, "ext4"));
+	ASSERT(!strcmp(m.mnt_opts, "rw,nosuid"));
+	ASSERT(m.mnt_freq == 2);
+	ASSERT(m.mnt_passno == 1);
+	ASSERT(endmntent(f) == 1);
+}
+
+int main(void)
+{
+	test_getmntent_empty();
+	test_getmntent();
+	test_getmntent_r();
+}
-- 
2.32.0


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [musl] [PATCH libc-test 2/3] functional: add mntent test for single-field line
  2021-08-21  8:54 [musl] [PATCH 0/3] mntent: fix parsing lines with optional fields Alyssa Ross
  2021-08-21  8:54 ` [musl] [PATCH libc-test 1/3] functional: add mntent test Alyssa Ross
@ 2021-08-21  8:54 ` Alyssa Ross
  2021-08-21  8:54 ` [musl] [PATCH musl 3/3] mntent: fix parsing lines with optional fields Alyssa Ross
  2 siblings, 0 replies; 7+ messages in thread
From: Alyssa Ross @ 2021-08-21  8:54 UTC (permalink / raw)
  To: musl; +Cc: Alyssa Ross

Glibc only requires a single field to be present in an fstab line to
parse it, and will initialize all other string fields to the empty
string.  This test checks for that behaviour.
---

I'm providing this test as a seperate patch to make it easy to pass on
this test while still accepting the rest, because I'm not sure whether
it's a good thing or not for Musl to allow fstab lines like this, even
though Glibc does.

 src/functional/mntent.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/functional/mntent.c b/src/functional/mntent.c
index 59d816a..caa7d33 100644
--- a/src/functional/mntent.c
+++ b/src/functional/mntent.c
@@ -31,6 +31,18 @@ void test_getmntent_empty(void)
 	ASSERT(endmntent(f) == 1);
 }
 
+void test_getmntent_short(void)
+{
+	char fstab[] = "1\n";
+	FILE *f = fmemopen((void *)fstab, sizeof fstab - 1, "r");
+	if (!f) ERR("fmemopen");
+	struct mntent *m = getmntent(f);
+	ASSERT(m);
+	ASSERT(!strcmp(m->mnt_fsname, "1"));
+	ASSERT(!*m->mnt_dir);
+	ASSERT(endmntent(f) == 1);
+}
+
 void test_getmntent(void)
 {
 	// Checks that the fifth and sixth fields default to 0.
@@ -71,6 +83,7 @@ void test_getmntent_r(void)
 int main(void)
 {
 	test_getmntent_empty();
+	test_getmntent_short();
 	test_getmntent();
 	test_getmntent_r();
 }
-- 
2.32.0


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [musl] [PATCH musl 3/3] mntent: fix parsing lines with optional fields
  2021-08-21  8:54 [musl] [PATCH 0/3] mntent: fix parsing lines with optional fields Alyssa Ross
  2021-08-21  8:54 ` [musl] [PATCH libc-test 1/3] functional: add mntent test Alyssa Ross
  2021-08-21  8:54 ` [musl] [PATCH libc-test 2/3] functional: add mntent test for single-field line Alyssa Ross
@ 2021-08-21  8:54 ` Alyssa Ross
  2021-08-27 15:27   ` Érico Nogueira
  2 siblings, 1 reply; 7+ messages in thread
From: Alyssa Ross @ 2021-08-21  8:54 UTC (permalink / raw)
  To: musl; +Cc: Alyssa Ross

According to fstab(5), the last two fields are optional, but this
wasn't accepted by Musl.  After this change, only the first field is
required, which matches Glibc's behaviour.

Using sscanf as before, it would have been impossible to differentiate
between 0 fields and 4 fields, because sscanf would have returned 0 in
both cases due to the use of assignment suppression and %n for the
string fields (which is important to avoid copying any strings).  So
instead, before calling sscanf, initialize every string to the empty
string, and then we can check which strings are empty afterwards to
know how many fields were matched.
---

We could also be stricter about it, and enforce that the first four
fields are present, since the man page says only the last two are
optional.  Doing that would be a simple change of checking for the
presence of mnt_opts instead of mnt_fsname at the end of my patch.

 src/misc/mntent.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/misc/mntent.c b/src/misc/mntent.c
index eabb8200..5a68f0b9 100644
--- a/src/misc/mntent.c
+++ b/src/misc/mntent.c
@@ -21,7 +21,8 @@ int endmntent(FILE *f)
 
 struct mntent *getmntent_r(FILE *f, struct mntent *mnt, char *linebuf, int buflen)
 {
-	int cnt, n[8], use_internal = (linebuf == SENTINEL);
+	int use_internal = (linebuf == SENTINEL);
+	size_t len, i, n[8];
 
 	mnt->mnt_freq = 0;
 	mnt->mnt_passno = 0;
@@ -39,10 +40,14 @@ struct mntent *getmntent_r(FILE *f, struct mntent *mnt, char *linebuf, int bufle
 			errno = ERANGE;
 			return 0;
 		}
-		cnt = sscanf(linebuf, " %n%*s%n %n%*s%n %n%*s%n %n%*s%n %d %d",
-			n, n+1, n+2, n+3, n+4, n+5, n+6, n+7,
-			&mnt->mnt_freq, &mnt->mnt_passno);
-	} while (cnt < 2 || linebuf[n[0]] == '#');
+
+		len = strlen(linebuf);
+		for (i = 0; i < sizeof n / sizeof *n; i++) n[i] = len;
+		if (sscanf(linebuf, " %n%*s%n %n%*s%n %n%*s%n %n%*s%n %d %d",
+			n, n+1, n+2, n+3, n+4, n+5, n+6, n+7,
+			&mnt->mnt_freq, &mnt->mnt_passno) == EOF && ferror(f))
+			return 0;
+	} while (linebuf[n[0]] == '#');
 
 	linebuf[n[1]] = 0;
 	linebuf[n[3]] = 0;
@@ -54,6 +60,9 @@ struct mntent *getmntent_r(FILE *f, struct mntent *mnt, char *linebuf, int bufle
 	mnt->mnt_type = linebuf+n[4];
 	mnt->mnt_opts = linebuf+n[6];
 
+	if (!*mnt->mnt_fsname)
+		return 0;
+
 	return mnt;
 }
 
-- 
2.32.0


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [musl] [PATCH musl 3/3] mntent: fix parsing lines with optional fields
  2021-08-21  8:54 ` [musl] [PATCH musl 3/3] mntent: fix parsing lines with optional fields Alyssa Ross
@ 2021-08-27 15:27   ` Érico Nogueira
  2021-08-27 16:49     ` Rich Felker
  0 siblings, 1 reply; 7+ messages in thread
From: Érico Nogueira @ 2021-08-27 15:27 UTC (permalink / raw)
  To: musl; +Cc: Alyssa Ross

On Sat Aug 21, 2021 at 5:54 AM -03, Alyssa Ross wrote:
> According to fstab(5), the last two fields are optional, but this
> wasn't accepted by Musl. After this change, only the first field is
> required, which matches Glibc's behaviour.
>
> Using sscanf as before, it would have been impossible to differentiate
> between 0 fields and 4 fields, because sscanf would have returned 0 in
> both cases due to the use of assignment suppression and %n for the
> string fields (which is important to avoid copying any strings). So
> instead, before calling sscanf, initialize every string to the empty
> string, and then we can check which strings are empty afterwards to
> know how many fields were matched.

Besides typing change noted below, the change sounds reasonable.

If you want to fix another issue around mntent, hasmntopts has some
troubles too :p

> ---
>
> We could also be stricter about it, and enforce that the first four
> fields are present, since the man page says only the last two are
> optional. Doing that would be a simple change of checking for the
> presence of mnt_opts instead of mnt_fsname at the end of my patch.
>
> src/misc/mntent.c | 18 +++++++++++++-----
> 1 file changed, 13 insertions(+), 5 deletions(-)
>
> diff --git a/src/misc/mntent.c b/src/misc/mntent.c
> index eabb8200..5a68f0b9 100644
> --- a/src/misc/mntent.c
> +++ b/src/misc/mntent.c
> @@ -21,7 +21,8 @@ int endmntent(FILE *f)
>  
> struct mntent *getmntent_r(FILE *f, struct mntent *mnt, char *linebuf,
> int buflen)
> {
> - int cnt, n[8], use_internal = (linebuf == SENTINEL);
> + int use_internal = (linebuf == SENTINEL);
> + size_t len, i, n[8];

Try avoiding unrelated changes in the commit, since they can introduce
subtle bugs. In this case, making n size_t[] instead of int[] will lead
to pointer type mismatches in the sscanf call, given that %n expects an
int*.

I don't know if *scanf guarantees it won't read enough to go past
INT_MAX, though, so making a change to size_t[] and using %ln might make
sense. Deferring to someone else to answer that.

>  
> mnt->mnt_freq = 0;
> mnt->mnt_passno = 0;
> @@ -39,10 +40,14 @@ struct mntent *getmntent_r(FILE *f, struct mntent
> *mnt, char *linebuf, int bufle
> errno = ERANGE;
> return 0;
> }
> - cnt = sscanf(linebuf, " %n%*s%n %n%*s%n %n%*s%n %n%*s%n %d %d",
> - n, n+1, n+2, n+3, n+4, n+5, n+6, n+7,
> - &mnt->mnt_freq, &mnt->mnt_passno);
> - } while (cnt < 2 || linebuf[n[0]] == '#');
> +
> + len = strlen(linebuf);
> + for (i = 0; i < sizeof n / sizeof *n; i++) n[i] = len;
> + if (sscanf(linebuf, " %n%*s%n %n%*s%n %n%*s%n %n%*s%n %d %d",
> + n, n+1, n+2, n+3, n+4, n+5, n+6, n+7,
> + &mnt->mnt_freq, &mnt->mnt_passno) == EOF && ferror(f))
> + return 0;
> + } while (linebuf[n[0]] == '#');
>  
> linebuf[n[1]] = 0;
> linebuf[n[3]] = 0;
> @@ -54,6 +60,9 @@ struct mntent *getmntent_r(FILE *f, struct mntent
> *mnt, char *linebuf, int bufle
> mnt->mnt_type = linebuf+n[4];
> mnt->mnt_opts = linebuf+n[6];
>  
> + if (!*mnt->mnt_fsname)
> + return 0;
> +
> return mnt;
> }
>  
> --
> 2.32.0


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [musl] [PATCH musl 3/3] mntent: fix parsing lines with optional fields
  2021-08-27 15:27   ` Érico Nogueira
@ 2021-08-27 16:49     ` Rich Felker
  2021-08-27 16:59       ` Rich Felker
  0 siblings, 1 reply; 7+ messages in thread
From: Rich Felker @ 2021-08-27 16:49 UTC (permalink / raw)
  To: Érico Nogueira; +Cc: musl, Alyssa Ross

On Fri, Aug 27, 2021 at 12:27:36PM -0300, Érico Nogueira wrote:
> On Sat Aug 21, 2021 at 5:54 AM -03, Alyssa Ross wrote:
> > According to fstab(5), the last two fields are optional, but this
> > wasn't accepted by Musl. After this change, only the first field is
> > required, which matches Glibc's behaviour.
> >
> > Using sscanf as before, it would have been impossible to differentiate
> > between 0 fields and 4 fields, because sscanf would have returned 0 in
> > both cases due to the use of assignment suppression and %n for the
> > string fields (which is important to avoid copying any strings). So
> > instead, before calling sscanf, initialize every string to the empty
> > string, and then we can check which strings are empty afterwards to
> > know how many fields were matched.
> 
> Besides typing change noted below, the change sounds reasonable.
> 
> If you want to fix another issue around mntent, hasmntopts has some
> troubles too :p
> 
> > ---
> >
> > We could also be stricter about it, and enforce that the first four
> > fields are present, since the man page says only the last two are
> > optional. Doing that would be a simple change of checking for the
> > presence of mnt_opts instead of mnt_fsname at the end of my patch.
> >
> > src/misc/mntent.c | 18 +++++++++++++-----
> > 1 file changed, 13 insertions(+), 5 deletions(-)
> >
> > diff --git a/src/misc/mntent.c b/src/misc/mntent.c
> > index eabb8200..5a68f0b9 100644
> > --- a/src/misc/mntent.c
> > +++ b/src/misc/mntent.c
> > @@ -21,7 +21,8 @@ int endmntent(FILE *f)
> >  
> > struct mntent *getmntent_r(FILE *f, struct mntent *mnt, char *linebuf,
> > int buflen)
> > {
> > - int cnt, n[8], use_internal = (linebuf == SENTINEL);
> > + int use_internal = (linebuf == SENTINEL);
> > + size_t len, i, n[8];
> 
> Try avoiding unrelated changes in the commit, since they can introduce
> subtle bugs. In this case, making n size_t[] instead of int[] will lead
> to pointer type mismatches in the sscanf call, given that %n expects an
> int*.
> 
> I don't know if *scanf guarantees it won't read enough to go past

For *scanf in general there is no such guarantee; not even size_t is
safe for fscanf. However, here you have sscanf and the number is
bounded by strlen(linebuf).

> INT_MAX, though, so making a change to size_t[] and using %ln might make
> sense. Deferring to someone else to answer that.

The conversion specifier for size_t is %zu not %ln. Since in theory
strlen(linebuf) could be more than INT_MAX, I think this change should
be made, but it should be a separate bugfix.

Rich

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [musl] [PATCH musl 3/3] mntent: fix parsing lines with optional fields
  2021-08-27 16:49     ` Rich Felker
@ 2021-08-27 16:59       ` Rich Felker
  0 siblings, 0 replies; 7+ messages in thread
From: Rich Felker @ 2021-08-27 16:59 UTC (permalink / raw)
  To: Érico Nogueira; +Cc: musl, Alyssa Ross

On Fri, Aug 27, 2021 at 12:49:28PM -0400, Rich Felker wrote:
> On Fri, Aug 27, 2021 at 12:27:36PM -0300, Érico Nogueira wrote:
> > Try avoiding unrelated changes in the commit, since they can introduce
> > subtle bugs. In this case, making n size_t[] instead of int[] will lead
> > to pointer type mismatches in the sscanf call, given that %n expects an
> > int*.
> > 
> > I don't know if *scanf guarantees it won't read enough to go past
> 
> For *scanf in general there is no such guarantee; not even size_t is
> safe for fscanf. However, here you have sscanf and the number is
> bounded by strlen(linebuf).
> 
> > INT_MAX, though, so making a change to size_t[] and using %ln might make
> > sense. Deferring to someone else to answer that.
> 
> The conversion specifier for size_t is %zu not %ln. Since in theory
> strlen(linebuf) could be more than INT_MAX, I think this change should
> be made, but it should be a separate bugfix.

Sorry, that should be '%zn'. '%zu' of course is for reading an integer
of type size_t not counting the bytes processed.

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2021-08-27 16:59 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-21  8:54 [musl] [PATCH 0/3] mntent: fix parsing lines with optional fields Alyssa Ross
2021-08-21  8:54 ` [musl] [PATCH libc-test 1/3] functional: add mntent test Alyssa Ross
2021-08-21  8:54 ` [musl] [PATCH libc-test 2/3] functional: add mntent test for single-field line Alyssa Ross
2021-08-21  8:54 ` [musl] [PATCH musl 3/3] mntent: fix parsing lines with optional fields Alyssa Ross
2021-08-27 15:27   ` Érico Nogueira
2021-08-27 16:49     ` Rich Felker
2021-08-27 16:59       ` Rich Felker

mailing list of musl libc

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://inbox.vuxu.org/musl

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 musl musl/ https://inbox.vuxu.org/musl \
		musl@inbox.vuxu.org
	public-inbox-index musl

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.musl


code repositories for the project(s) associated with this inbox:

	https://git.vuxu.org/mirror/musl/

AGPL code for this site: git clone https://public-inbox.org/public-inbox.git