From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-alpha-return-109818-listarch-libc-alpha=sources.redhat.com@sourceware.org>
Received: (qmail 24651 invoked by alias); 16 Feb 2020 00:02:35 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Received: (qmail 24638 invoked by uid 89); 16 Feb 2020 00:02:35 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-3.9 required=5.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham version=3.3.1 spammy=H*i:sk:87wo8ox, H*MI:sk:87wo8ox, H*f:sk:87wo8ox, H*r:sk:zimbra.
X-HELO: zimbra.cs.ucla.edu
Subject: Re: [PATCH 1/3] <fd_to_filename.h>: Add type safety and port to Hurd
To: Florian Weimer <fweimer@redhat.com>
Cc: libc-alpha@sourceware.org, Samuel Thibault <samuel.thibault@ens-lyon.org>
References: <cover.1581703185.git.fweimer@redhat.com>
 <c6b3a5e519cd3b0d7d77c7f2dfe35384b36cb39a.1581703185.git.fweimer@redhat.com>
 <61b49643-9c7b-7060-6eb7-21060dd6e22f@cs.ucla.edu>
 <87wo8oxa63.fsf@oldenburg2.str.redhat.com>
From: Paul Eggert <eggert@cs.ucla.edu>
Message-ID: <d85f47f4-8d41-70df-a4a2-2fa3ad4110ec@cs.ucla.edu>
Date: Sun, 16 Feb 2020 00:02:00 -0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <87wo8oxa63.fsf@oldenburg2.str.redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-SW-Source: 2020-02/txt/msg00724.txt.bz2

On 2/15/20 5:16 AM, Florian Weimer wrote:

> INT_STRLEN_BOUND is 11, right?

Yes, it's a bound on the string length of a printed int, and that's 11 in the 
typical case of 32-bit int because the int might be negative.  I didn't lose 
sleep over the wasted byte, but if we want a tighter bound then we could use 
INT_STRLEN_BOUND (int) - 1 instead. However, it might be better to leave it 
alone so that we can use the code below.

> The problem is when an application passes an invalid descriptor to some
> libc function and that ends up with __fd_to_filename.  We should not
> make matters worse in that case.

If it's not a precondition that the descriptor is nonnegative, we can't simply 
return a copy of FD_TO_FILENAME_PREFIX as that's an existing filename. Instead, 
how about the following? It uses a randomish garbage filename beginning with "-" 
which should be good enough, and it doesn't cost a conditional branch to handle 
negative descriptors.

   char *
   __fd_to_filename (int descriptor, struct fd_to_filename *storage)
   {
     char *p = mempcpy (storage->buffer, FD_TO_FILENAME_PREFIX,
                        strlen (FD_TO_FILENAME_PREFIX) - 1);

     /* If DESCRIPTOR is negative, arrange for the filename to not exist
        by prepending any byte other than '/', '.', '\0' or an ASCII digit.
        The rest of the filename will be gibberish that fits.  */
     *p = '-';
     p += descriptor < 0;

     for (int d = descriptor; p++, (d /= 10) != 0; )
       continue;
     *p = '\0';
     for (int d = descriptor; *--p = '0' + d % 10, (d /= 10) != 0; )
       continue;
     return storage->buffer;
   }