From: Florian Weimer <fweimer@redhat.com>
To: Szabolcs Nagy <szabolcs.nagy@arm.com>
Cc: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>,
"H.J. Lu" <hjl.tools@gmail.com>,
Noah Goldstein <goldstein.w.n@gmail.com>,
libc-alpha@sourceware.org
Subject: Re: [PATCH v2] string: Fix OOB read on generic strncmp
Date: Fri, 24 Feb 2023 11:58:04 +0100 [thread overview]
Message-ID: <87ilfrmitf.fsf@oldenburg.str.redhat.com> (raw)
In-Reply-To: <Y/iPI784YA0wMt3t@arm.com> (Szabolcs Nagy's message of "Fri, 24 Feb 2023 10:19:15 +0000")
* Szabolcs Nagy:
> The 02/23/2023 15:15, Adhemerval Zanella Netto wrote:
>> Noah has brought to my attention that he tried to add similar tests,
>> but they were rejected by strncmp string must be null-terminated [1].
>>
>> The working drafts for C standard I have access (n1256.pdf for C99 and
>> n3047.pdf for c2x) do not say possibly null-terminated array (as some
>> stackoverflow answer state [2]) they refer only as array. So I tend
>> to follow Florian understanding that strncmp inputs should be NULL
>> terminated.
>
> c11 draft is n1570.pdf
> https://open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf
>
> i dont understand what extension Florian is talking about.
> (i think that was about strcmp not strncmp)
>
> c11 and c23 are clear that strncmp args may *not* be null-terminated
> so i think we should be careful not to overread.
It's common to use strncmp as a starts-with predicate, like this:
strncmp (s, "prefix", 5)
This requires that reading stops at the first null byte. C11 wording
makes this kind of usage inadvisable because it treats the inputs as
arrays, and this means that mean that implementations could read past
the null byte. But that doesn't match current programming practice.
The strnlen function has the same problem if you want to use it to limit
readhead, e.g. in sscanf to fix bug 17577. (POSIX also speaks of an
array argument.) In stdio-common/Xprintf_buffer_puts_1.c, we already
use it to avoid a similar performance glitch. It's not the first such
uses, there is already a similar call (with similar rationale) in
string/strcasestr.c, and for wcsnlen in
stdio-common/vfprintf-process-arg.c.
I think we should support all these as extensions. The alternative
would be to add new functions that stop reading after the first null
byte (particularly for the strnlen optimization).
Unfortunately, the last time I brought this up, the manual was updated
to double down on the array interpretation. I think this was the
result:
commit 2cc4b9cce51643ec299e97450ccde4deeecfb083
Author: Paul Eggert <eggert@cs.ucla.edu>
Date: Fri Dec 4 08:27:14 2015 -0800
Consistency about byte vs character in string.texi
I think that's just not the right direction for glibc.
Thanks,
Florian
next prev parent reply other threads:[~2023-02-24 10:58 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-22 16:31 Adhemerval Zanella
2023-02-22 17:21 ` Szabolcs Nagy
2023-02-23 18:15 ` Adhemerval Zanella Netto
2023-02-24 10:19 ` Szabolcs Nagy
2023-02-24 10:58 ` Florian Weimer [this message]
2023-02-23 19:10 Wilco Dijkstra
2023-02-24 12:24 Wilco Dijkstra
2023-02-24 12:34 ` Adhemerval Zanella Netto
2023-02-24 12:43 ` Szabolcs Nagy
2023-02-24 12:57 ` Adhemerval Zanella Netto
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ilfrmitf.fsf@oldenburg.str.redhat.com \
--to=fweimer@redhat.com \
--cc=adhemerval.zanella@linaro.org \
--cc=goldstein.w.n@gmail.com \
--cc=hjl.tools@gmail.com \
--cc=libc-alpha@sourceware.org \
--cc=szabolcs.nagy@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).