-
Notifications
You must be signed in to change notification settings - Fork 294
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
implement internal safe_strcpy to replace the strncpy #620
Conversation
@wyr-7, @tomi-font, |
The strlcpy() function has only recently become available in glibc. To ensure compatibility with legacy libc versions, this commit implements an internal version of strlcpy(). The function has been adapted from the FreeBSD implementation to fit our needs. Signed-off-by: Arnaud Pouliquen <[email protected]> (cherry picked from commit c7c85bcfeb4f2c1be772efea8a889aa796d1a7c1) Upstream PR: OpenAMP/open-amp#620 Signed-off-by: Tomi Fontanilles <[email protected]>
The strncpy function does not ensure that the destination string is null-terminated. To address this issue, replace strncpy with the internal strlcpy function, which guarantees null-termination of the destination string. Note: (void)strlcpy(...) indicates that the return value is intentionally ignored. Signed-off-by: Arnaud Pouliquen <[email protected]> (cherry picked from commit e83acc98ad18f27bd1c12de808aaed84a0091791) Upstream PR: OpenAMP/open-amp#620 Signed-off-by: Tomi Fontanilles <[email protected]>
The strncpy function does not ensure that the destination string is null-terminated. To address this issue, replace strncpy with the internal strlcpy function, which guarantees null-termination of the destination string. Note: (void)strlcpy(...) indicates that the return value is intentionally ignored. Signed-off-by: Arnaud Pouliquen <[email protected]> (cherry picked from commit b1606070c9109ac581e1aa8dcff2871d0207e839) Upstream PR: OpenAMP/open-amp#620 Signed-off-by: Tomi Fontanilles <[email protected]>
The strlcpy() function has only recently become available in glibc. To ensure compatibility with legacy libc versions, this commit implements an internal version of strlcpy(). The function has been adapted from the FreeBSD implementation to fit our needs. Signed-off-by: Arnaud Pouliquen <[email protected]> (cherry picked from commit c7c85bcfeb4f2c1be772efea8a889aa796d1a7c1) Upstream PR: OpenAMP/open-amp#620 Signed-off-by: Tomi Fontanilles <[email protected]> Signed-off-by: Torsten Rasmussen <[email protected]>
The strncpy function does not ensure that the destination string is null-terminated. To address this issue, replace strncpy with the internal strlcpy function, which guarantees null-termination of the destination string. Note: (void)strlcpy(...) indicates that the return value is intentionally ignored. Signed-off-by: Arnaud Pouliquen <[email protected]> (cherry picked from commit e83acc98ad18f27bd1c12de808aaed84a0091791) Upstream PR: OpenAMP/open-amp#620 Signed-off-by: Tomi Fontanilles <[email protected]> Signed-off-by: Torsten Rasmussen <[email protected]>
The strncpy function does not ensure that the destination string is null-terminated. To address this issue, replace strncpy with the internal strlcpy function, which guarantees null-termination of the destination string. Note: (void)strlcpy(...) indicates that the return value is intentionally ignored. Signed-off-by: Arnaud Pouliquen <[email protected]> (cherry picked from commit b1606070c9109ac581e1aa8dcff2871d0207e839) Upstream PR: OpenAMP/open-amp#620 Signed-off-by: Tomi Fontanilles <[email protected]> Signed-off-by: Torsten Rasmussen <[email protected]>
The strlcpy() function has only recently become available in glibc. To ensure compatibility with legacy libc versions, this commit implements an internal version of strlcpy(). The function has been adapted from the FreeBSD implementation to fit our needs. Signed-off-by: Arnaud Pouliquen <[email protected]> (cherry picked from commit c7c85bcfeb4f2c1be772efea8a889aa796d1a7c1) Upstream PR: OpenAMP/open-amp#620 Signed-off-by: Tomi Fontanilles <[email protected]> Signed-off-by: Torsten Rasmussen <[email protected]>
The strncpy function does not ensure that the destination string is null-terminated. To address this issue, replace strncpy with the internal strlcpy function, which guarantees null-termination of the destination string. Note: (void)strlcpy(...) indicates that the return value is intentionally ignored. Signed-off-by: Arnaud Pouliquen <[email protected]> (cherry picked from commit e83acc98ad18f27bd1c12de808aaed84a0091791) Upstream PR: OpenAMP/open-amp#620 Signed-off-by: Tomi Fontanilles <[email protected]> Signed-off-by: Torsten Rasmussen <[email protected]>
The strncpy function does not ensure that the destination string is null-terminated. To address this issue, replace strncpy with the internal strlcpy function, which guarantees null-termination of the destination string. Note: (void)strlcpy(...) indicates that the return value is intentionally ignored. Signed-off-by: Arnaud Pouliquen <[email protected]> (cherry picked from commit b1606070c9109ac581e1aa8dcff2871d0207e839) Upstream PR: OpenAMP/open-amp#620 Signed-off-by: Tomi Fontanilles <[email protected]> Signed-off-by: Torsten Rasmussen <[email protected]>
Origin: OpenAMP/open-amp#620 Commits: e233473d14654f08468595ad0dbe8f7e58acf267 8591566382d055acd33f9d23e6826a8a4b0a1881 1aecdc737d463b4ff1ece36847f4f2e68d4ffe4a Status: Cherry pick PR that fixes the `stringop-truncation` compilation errors due to former usage of `strncpy()`. Signed-off-by: Tomi Fontanilles <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to go.
I got such AddressSanitizer error from the "string.c":
It can resolved with the changes in zephyrproject-rtos/open-amp#23 |
@laxiLang could you tell me how to reproduce the test
Copy/past from comment zephyrproject-rtos/open-amp@cff00b6#r1792242968: The function has to return the total length of the string it tried to create so the size of the source |
@arnopo : I enabled the GCC address sanitizer check. It can be easily reproduced if run a test function as below:
got such below error:
####################################################################################### To make address sanitizer check passed, the below change with still return total length of the string works.
|
The Based on this, it looks to me that strlcpy is not 100% safe. A safer approach would be to provide the size of the source string in addition to the destination size, and then return the size of the destination string.
|
I have updated the PR in this way |
b293552
to
58e344f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Aside from the above question about the documentation, this looks good to go.l
The strlcpy() function has only recently become available in glibc. While this function prevents destination buffer overflow, it seems that it cannot guarantee read access only within the source buffer. this is for instance the case if the source string is not terminated by a'\0' character. Implement a safe_strcpy to ensure that no access is done out of the source and destination buffer ranges. Signed-off-by: Arnaud Pouliquen <[email protected]>
The strncpy function does not ensure that the destination string is null-terminated. To address this issue, replace strncpy with the internal safe_strcpy() function, which guarantees null-termination of the destination string but also access only in buffer memory ranges. Note: (void)safe_strcpy(...) indicates that the return value is intentionally ignored. Signed-off-by: Arnaud Pouliquen <[email protected]>
The strncpy function does not ensure that the destination string is null-terminated. To address this issue, replace strncpy with the internal safe_strcpy() function, which guarantees null-termination of the destination string but also access only in buffer memory ranges. Note: (void)safe_strcpy(...) indicates that the return value is intentionally ignored. Signed-off-by: Arnaud Pouliquen <[email protected]>
Compiler complain aboiut the use of strncpy that is not safe.
Already 3 PRs propose a fix of the issue:
strlcpy
seems to have been recently integrated into glibc, but it appears to only prevent overflow in the destination buffer without ensuring that we do not perform a read out of the source buffer.