From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 29411 invoked from network); 13 Jan 2022 18:53:57 -0000 Received: from mother.openwall.net (195.42.179.200) by inbox.vuxu.org with ESMTPUTF8; 13 Jan 2022 18:53:57 -0000 Received: (qmail 5128 invoked by uid 550); 13 Jan 2022 18:53:55 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 4052 invoked from network); 13 Jan 2022 18:53:54 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h= from:to:cc:subject:in-reply-to:references:date:message-id :mime-version:content-type; s=fm2; bh=phNoFQMe2uzFYazDBaaSJ2jSGo iNVtz4ih8UdcR4X30=; b=UW5wZ+XHACJvHk/F4rTiaJJrnEIsY8A5zibmJc1Gmu Zu5CvPXANNY+9YvRIhWbRthGOZ+26vaa9tvXZUZ1Wvg/M6pSETRSBBGa6QxR/wUK /GXn1wWsUAo8E/FOoES9spMqYepWNIh59aUKm45AVHNOex8pIZLhu1glnBYgDzKF 88Dn9XK9lgKHM/HyAvnpxcr9XszGI/Gqs5wGcm5XoD2vNm+K6keRKMmQwFcaHEjC UyAjn0RqO2yJn6JBokh4BUethT7meE4+j1i9Q0dH6sMrubjHqoCjtepprEvuI11O uUJuynMZ1X9kY4/7InnW/fioWnQOJDOF9OoA0AB9kIBQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=phNoFQ Me2uzFYazDBaaSJ2jSGoiNVtz4ih8UdcR4X30=; b=CQUmGIsWSYITgigXytGn1D ARi3WKIh6x1Xst1kHJ8hw0ZFayJ/v3jpXyZVV7mNLYH+EneuoLeIBZX+QcQ15eHm hk0FuX4JU+4p/BnnllCJgUnEuUC8BJf4ElWffFiWViBuzxvBaFKlof3WcnI6Iizj tRhXr2HW52sG5rrAoUGh1meqXnQpjDzk/nal7eHK3nk/rSWh9nLotRR5QKp88x0U UzD0NHBtDTTIuMk5XKaJz4dN0nby4TuDL7GLaTmfgENdF2nTcPfudgFerGxz9kkj HSPApdpV9tq6jp3pK4hYuoSWsyh+CyUUQfpS6mmJEe6akfOM9BVvscmneucjZnHQ == X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddrtdefgdduudekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhvffujghffffkgggtsehgtderre dttdejnecuhfhrohhmpeetlhihshhsrgcutfhoshhsuceohhhisegrlhihshhsrgdrihhs qeenucggtffrrghtthgvrhhnpeevleefveffuedugfehheehveeffefgveefteduheevhf dvledtgfehgeejiedtfeenucffohhmrghinhepmhhnthgvnhhtrdgtfienucevlhhushht vghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehhihesrghlhihsshgrrd hish X-ME-Proxy: From: Alyssa Ross To: Rich Felker Cc: musl@lists.openwall.com In-Reply-To: <20220113174037.GA7074@brightrain.aerifal.cx> References: <20210915221155.3977763-1-hi@alyssa.is> <20210915221155.3977763-4-hi@alyssa.is> <20210920042140.GT13220@brightrain.aerifal.cx> <20220109031819.GO7074@brightrain.aerifal.cx> <878rvj1tut.fsf@alyssa.is> <20220113174037.GA7074@brightrain.aerifal.cx> Date: Thu, 13 Jan 2022 18:53:19 +0000 Message-ID: <875yqn1n8g.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Subject: Re: [musl] [PATCH musl v2 3/3] mntent: fix parsing lines with optional fields --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Rich Felker writes: > On Thu, Jan 13, 2022 at 04:30:18PM +0000, Alyssa Ross wrote: >> Hi Rich, thanks for following up on this. >>=20 >> Rich Felker writes: >>=20 >> > On Mon, Sep 20, 2021 at 12:21:41AM -0400, Rich Felker wrote: >> >> On Wed, Sep 15, 2021 at 10:11:55PM +0000, Alyssa Ross wrote: >> >> > According to fstab(5), the last two fields are optional, but this >> >> > wasn't accepted by Musl. After this change, only the first field is >> >> > required, which matches Glibc's behaviour. >> >> >=20 >> >> > Using sscanf as before, it would have been impossible to differenti= ate >> >> > between 0 fields and 4 fields, because sscanf would have returned 0= in >> >> > both cases due to the use of assignment suppression and %n for the >> >> > string fields (which is important to avoid copying any strings). So >> >> > instead, before calling sscanf, initialize every string to the empty >> >> > string, and then we can check which strings are empty afterwards to >> >> > know how many fields were matched. >> >> > --- >> >> >=20 >> >> > We could also be stricter about it, and enforce that the first four >> >> > fields are present, since the man page says only the last two are >> >> > optional. Doing that would be a simple change of checking for the >> >> > presence of mnt_opts instead of mnt_fsname at the end of my patch. >> >> >=20 >> >> > v2: don't change n from int to size_t >> >> >=20 >> >> > src/misc/mntent.c | 18 +++++++++++++----- >> >> > 1 file changed, 13 insertions(+), 5 deletions(-) >> >> >=20 >> >> > diff --git a/src/misc/mntent.c b/src/misc/mntent.c >> >> > index eabb8200..238a0efd 100644 >> >> > --- a/src/misc/mntent.c >> >> > +++ b/src/misc/mntent.c >> >> > @@ -21,7 +21,8 @@ int endmntent(FILE *f) >> >> >=20=20 >> >> > struct mntent *getmntent_r(FILE *f, struct mntent *mnt, char *line= buf, int buflen) >> >> > { >> >> > - int cnt, n[8], use_internal =3D (linebuf =3D=3D SENTINEL); >> >> > + int n[8], use_internal =3D (linebuf =3D=3D SENTINEL); >> >> > + size_t len, i; >> >> >=20=20 >> >> > mnt->mnt_freq =3D 0; >> >> > mnt->mnt_passno =3D 0; >> >> > @@ -39,10 +40,14 @@ struct mntent *getmntent_r(FILE *f, struct mnte= nt *mnt, char *linebuf, int bufle >> >> > errno =3D ERANGE; >> >> > return 0; >> >> > } >> >> > - cnt =3D sscanf(linebuf, " %n%*s%n %n%*s%n %n%*s%n %n%*s%n %d %d", >> >> > - n, n+1, n+2, n+3, n+4, n+5, n+6, n+7, >> >> > - &mnt->mnt_freq, &mnt->mnt_passno); >> >> > - } while (cnt < 2 || linebuf[n[0]] =3D=3D '#'); >> >> > + >> >> > + len =3D strlen(linebuf); >> >> > + for (i =3D 0; i < sizeof n / sizeof *n; i++) n[i] =3D len; >> >> > + if (sscanf(linebuf, " %n%*s%n %n%*s%n %n%*s%n %n%*s%n %d %d", >> >> > + n, n+1, n+2, n+3, n+4, n+5, n+6, n+7, >> >> > + &mnt->mnt_freq, &mnt->mnt_passno) =3D=3D EOF && ferror(f)) >> >> > + return 0; >> >> > + } while (linebuf[n[0]] =3D=3D '#'); >> >> >=20=20 >> >> > linebuf[n[1]] =3D 0; >> >> > linebuf[n[3]] =3D 0; >> >> > @@ -54,6 +60,9 @@ struct mntent *getmntent_r(FILE *f, struct mntent= *mnt, char *linebuf, int bufle >> >> > mnt->mnt_type =3D linebuf+n[4]; >> >> > mnt->mnt_opts =3D linebuf+n[6]; >> >> >=20=20 >> >> > + if (!*mnt->mnt_fsname) >> >> > + return 0; >> >> > + >> >> > return mnt; >> >> > } >> >>=20 >> >> It looks like your patch changes the behavior for malformed lines from >> >> skipping them (and continuing to search for the next valid line) to >> >> returning 0. Is that intentional? Maybe it's better; I'm not sure. But >> >> won't it even cause blank lines to return 0? >>=20 >> Because I only check for the first field being present, a lot of >> nonsensical lines will be accepted. >>=20 >> As I said in the patch commentary: >>=20 >> > After this change, only the first field is >> > required, which matches Glibc's behaviour. >> > >> > [snip] >> > >> > We could also be stricter about it, and enforce that the first four >> > fields are present, since the man page says only the last two are >> > optional. Doing that would be a simple change of checking for the >> > presence of mnt_opts instead of mnt_fsname at the end of my patch. >>=20 >> It probably would make more sense to check that the four fields the man >> pages implies are required are all there, by making the change I >> suggested in the commentary, at least until somebody complains about >> their two-field fstab being accepted by Glibc and not Musl. >>=20 >> > Indeed it also seems to be skipping empty lines, contrary to what you >> > said in another message: >> > >> >> =E2=80=A2 Empty lines should be skipped. >>=20 >> Yes, it looks like I was mistaken before when I thought that Musl didn't >> properly handle comments and empty lines. Looking back, it seems that >> the tests I was running were against mntent files with only four fields, >> so the parsing failures I was seeing were because of that, not because >> of an issue in the comment or empty line handling. >>=20 >> My patch does (inadventently) change the behaviour of empty line >> handling. We should leave the current behaviour of skipping over empty >> lines as is. Suggested fix at the end of this message. >>=20 >> > Do you have a preference on how to proceed? We could add back a >> > condition to the while loop, something like linebuf[n[0]]=3D=3D'#' || >> > n[6]=3D=3Dlen (i.e. skip lines with too few fields, possibly using a >> > different number instead of 6 if more appropriate). Or we could do >> > what I suggested before: >> > >> >> A less invasive change might be adding "%1[ \t\n\v\f\r]" and a dummy >> >> char* argument to collect the value before the " %d %d". Then you can >> >> check for cnt<1. But I'm not sure even the 4th field should be >> >> mandatory. This same apprach could be used to make just 3 mandatory if >> >> desired though. >> > >> > Thoughts? >>=20 >> I think it would clearer to have an explicit check that the last >> mandatory field is set, like I currently do with the mnt_fsname check at >> the end of the function. I don't particularly mind how many fields are >> mandatory, as long as its four or fewer so Musl's behaviour follows the >> fstab format described in the man page. >>=20 >> So overall my proposed revisions would be the following. There's a >> change to move to the next line if the current one is empty, and a >> change to ensure the first four fields are all present. (If you decide >> you'd like the fourth field to also be optional, we can just change >> mnt_opts to mnt_type in that check.) It's been a long time since I last >> this code, btw, so I hope I'm not missing anything around the empty line >> check. I'd be happy to put together a revised series, with these >> changes and a corresponding change to my libc-test patch, if you'd like. >>=20 >> diff --git i/src/misc/mntent.c w/src/misc/mntent.c >> index 169e9789..7782cb10 100644 >> --- i/src/misc/mntent.c >> +++ w/src/misc/mntent.c >> @@ -47,7 +47,7 @@ struct mntent *getmntent_r(FILE *f, struct mntent *mnt= , char *linebuf, int bufle >> n, n+1, n+2, n+3, n+4, n+5, n+6, n+7, >> &mnt->mnt_freq, &mnt->mnt_passno) =3D=3D EOF && ferror(f)) >> return 0; >> - } while (linebuf[n[0]] =3D=3D '#'); >> + } while (linebuf[0] =3D=3D '\n' || linebuf[n[0]] =3D=3D '#'); >>=20=20 >> linebuf[n[1]] =3D 0; >> linebuf[n[3]] =3D 0; >> @@ -59,7 +59,7 @@ struct mntent *getmntent_r(FILE *f, struct mntent *mnt= , char *linebuf, int bufle >> mnt->mnt_type =3D linebuf+n[4]; >> mnt->mnt_opts =3D linebuf+n[6]; >>=20=20 >> - if (!*mnt->mnt_fsname) >> + if (!*mnt->mnt_opts) >> return 0; >>=20=20 >> return mnt; > > What I still don't like here is that this changes the behavior on > something that's not a valid record (in whatever sense we define that) > from continuing the loop looking for the next one, to returning a null > pointer with no indication of what the error was. Treating empty lines > as an error (rather than continuing) was just one special case of > that. For an analogy, see how the pwd/grp functions work. Something > malformed in the file is just "not a record" and search continues for > the next valid record (if any) rather than giving the caller a > non-actionable (since this is assumed to be a sort of > trusted/authoritative data outside the application's control) error. Okay, that makes sense. So it seems like our choices when faced with an invalid record are: =E2=80=A2 Skip it and move on to the next one, as you've proposed here; or =E2=80=A2 Try to fill in as many fields of the mntent structure as possibl= e, and return successfully, like Glibc does. If we go with the first option, as you've proposed, do you think the difference in behaviour from Glibc would be an issue? (I'm mostly thinking of the case where a record doesn't have enough fields here. There are also the cases where a record has too many fields, or when fields 5 and 6 are numeric. I haven't looked into how Glibc handles those yet.) --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEH9wgcxqlHM/ARR3h+dvtSFmyccAFAmHgdSEACgkQ+dvtSFmy ccDe+g/+MOSmaoUr1gWMYQ0Y8Lyawwewm/paLsL+MGvvIvNOEveDmoZVdn7v//NP psEZCIPR49WX96N+ze7NSsgwlajNtTgvm9or6PAhTUb3B2XeNVEC9iuaP/qu1QSz ULJQ5XYa97y4Ffe23axLSkM0Q6JysBu6H5LklxcGRsbCULmglOKNuSkg+6RpIcRc k/Ss99OpyqHXT6SgZX9biuCXx8Mju8gNAubYCzvmyZ06jh5XLHPH5OwhkHiyGpGy DMF9MfFnzhzUj4s9IK3K4XeeCV5hFbfAaqwiDr3JaPRnQjeVv/fRAn+zOSLDK6qP bE4Wy8ydhXnyJTjKUSW+NS4wkVvR98lzZCeuuLMHYSVkc0Smi2oySeedOxlG5skb a33UNz4G6JbQsyIVLcfp3IwGNvu+uZAqmZaZI1XnA4fqMxEuYvbR1krfH3xoIi7N tF+y4fh+cNKISvp0mFEGswiK16akfMZ6qJonnQ0QC5QRazVDnqingjJaHJ2vSGrf e732jBscGpwLPQxEWuml0wNVGnDgoqrAvk0RLVEkaxZTpwfDJrrOFoKMeya4DaIo 1DMLylKwjBNGTM3b60aWboXDohcftTO898/tP4aPyvDZ4VvLQ0mqpqp7rPk56mUz D5GQvSstV8C58syL1+Jz0r3gpQXfyyD7CPCQLQBVKn44iFAdazQ= =Mdyj -----END PGP SIGNATURE----- --=-=-=--