zfs/module/os/freebsd/spl/spl_string.c

138 lines
3.1 KiB
C
Raw Normal View History

/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or https://opensource.org/licenses/CDDL-1.0.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
* $FreeBSD$
*/
/*
* Copyright 2007 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#include <sys/types.h>
#include <sys/param.h>
#include <sys/string.h>
#include <sys/kmem.h>
#include <machine/stdarg.h>
#define IS_DIGIT(c) ((c) >= '0' && (c) <= '9')
#define IS_ALPHA(c) \
(((c) >= 'a' && (c) <= 'z') || ((c) >= 'A' && (c) <= 'Z'))
char *
strpbrk(const char *s, const char *b)
{
const char *p;
do {
for (p = b; *p != '\0' && *p != *s; ++p)
;
if (*p != '\0')
return ((char *)s);
} while (*s++);
return (NULL);
}
/*
* Convert a string into a valid C identifier by replacing invalid
* characters with '_'. Also makes sure the string is nul-terminated
* and takes up at most n bytes.
*/
void
strident_canon(char *s, size_t n)
{
char c;
char *end = s + n - 1;
if ((c = *s) == 0)
return;
if (!IS_ALPHA(c) && c != '_')
*s = '_';
while (s < end && ((c = *(++s)) != 0)) {
if (!IS_ALPHA(c) && !IS_DIGIT(c) && c != '_')
*s = '_';
}
*s = 0;
}
/*
* Do not change the length of the returned string; it must be freed
* with strfree().
*/
char *
kmem_asprintf(const char *fmt, ...)
{
int size;
va_list adx;
char *buf;
va_start(adx, fmt);
size = vsnprintf(NULL, 0, fmt, adx) + 1;
va_end(adx);
buf = kmem_alloc(size, KM_SLEEP);
va_start(adx, fmt);
(void) vsnprintf(buf, size, fmt, adx);
va_end(adx);
return (buf);
}
void
kmem_strfree(char *str)
{
ASSERT3P(str, !=, NULL);
kmem_free(str, strlen(str) + 1);
}
Introduce kmem_scnprintf() `snprintf()` is meant to protect against buffer overflows, but operating on the buffer using its return value, possibly by calling it again, can cause a buffer overflow, because it will return how many characters it would have written if it had enough space even when it did not. In a number of places, we repeatedly call snprintf() by successively incrementing a buffer offset and decrementing a buffer length, by its return value. This is a potentially unsafe usage of `snprintf()` whenever the buffer length is reached. CodeQL complained about this. To fix this, we introduce `kmem_scnprintf()`, which will return 0 when the buffer is zero or the number of written characters, minus 1 to exclude the NULL character, when the buffer was too small. In all other cases, it behaves like snprintf(). The name is inspired by the Linux and XNU kernels' `scnprintf()`. The implementation was written before I thought to look at `scnprintf()` and had a good name for it, but it turned out to have identical semantics to the Linux kernel version. That lead to the name, `kmem_scnprintf()`. CodeQL only catches this issue in loops, so repeated use of snprintf() outside of a loop was not caught. As a result, a thorough audit of the codebase was done to examine all instances of `snprintf()` usage for potential problems and a few were caught. Fixes for them are included in this patch. Unfortunately, ZED is one of the places where `snprintf()` is potentially used incorrectly. Since using `kmem_scnprintf()` in it would require changing how it is linked, we modify its usage to make it safe, no matter what buffer length is used. In addition, there was a bug in the use of the return value where the NULL format character was not being written by pwrite(). That has been fixed. Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu> Closes #14098
2022-10-27 18:16:04 +00:00
/*
* kmem_scnprintf() will return the number of characters that it would have
* printed whenever it is limited by value of the size variable, rather than
* the number of characters that it did print. This can cause misbehavior on
* subsequent uses of the return value, so we define a safe version that will
* return the number of characters actually printed, minus the NULL format
* character. Subsequent use of this by the safe string functions is safe
* whether it is snprintf(), strlcat() or strlcpy().
*/
int
kmem_scnprintf(char *restrict str, size_t size, const char *restrict fmt, ...)
{
int n;
va_list ap;
/* Make the 0 case a no-op so that we do not return -1 */
if (size == 0)
return (0);
va_start(ap, fmt);
n = vsnprintf(str, size, fmt, ap);
va_end(ap);
if (n >= size)
n = size - 1;
return (n);
}