* [PATCH] telemetry: avoid truncation of strlcpy return before check
@ 2023-08-02 21:21 Tyler Retzlaff
2023-08-03 8:15 ` Bruce Richardson
2023-08-08 2:24 ` lihuisong (C)
0 siblings, 2 replies; 7+ messages in thread
From: Tyler Retzlaff @ 2023-08-02 21:21 UTC (permalink / raw)
To: dev; +Cc: Ciara Power, bruce.richardson, Tyler Retzlaff
strlcpy returns type size_t when directly assigning to
struct rte_tel_data data_len field it may be truncated leading to
compromised length check that follows
Since the limit in the check is < UINT_MAX the value returned is
safe to be cast to unsigned int (which may be narrower than size_t)
but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
---
lib/telemetry/telemetry_data.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
index 3b1a240..52307cb 100644
--- a/lib/telemetry/telemetry_data.c
+++ b/lib/telemetry/telemetry_data.c
@@ -41,12 +41,13 @@
int
rte_tel_data_string(struct rte_tel_data *d, const char *str)
{
+ const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
d->type = TEL_STRING;
- d->data_len = strlcpy(d->data.str, str, sizeof(d->data.str));
- if (d->data_len >= RTE_TEL_MAX_SINGLE_STRING_LEN) {
+ if (len >= RTE_TEL_MAX_SINGLE_STRING_LEN) {
d->data_len = RTE_TEL_MAX_SINGLE_STRING_LEN - 1;
return E2BIG; /* not necessarily and error, just truncation */
}
+ d->data_len = (unsigned int)len;
return 0;
}
--
1.8.3.1
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] telemetry: avoid truncation of strlcpy return before check
2023-08-02 21:21 [PATCH] telemetry: avoid truncation of strlcpy return before check Tyler Retzlaff
@ 2023-08-03 8:15 ` Bruce Richardson
2023-08-08 2:24 ` lihuisong (C)
1 sibling, 0 replies; 7+ messages in thread
From: Bruce Richardson @ 2023-08-03 8:15 UTC (permalink / raw)
To: Tyler Retzlaff; +Cc: dev, Ciara Power
On Wed, Aug 02, 2023 at 02:21:01PM -0700, Tyler Retzlaff wrote:
> strlcpy returns type size_t when directly assigning to
> struct rte_tel_data data_len field it may be truncated leading to
> compromised length check that follows
>
> Since the limit in the check is < UINT_MAX the value returned is
> safe to be cast to unsigned int (which may be narrower than size_t)
> but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
>
> Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
> ---
Acked-by: Bruce Richardson <bruce.richardson@intel.com>
This probably should be marked as a fix for backport.
> lib/telemetry/telemetry_data.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
> index 3b1a240..52307cb 100644
> --- a/lib/telemetry/telemetry_data.c
> +++ b/lib/telemetry/telemetry_data.c
> @@ -41,12 +41,13 @@
> int
> rte_tel_data_string(struct rte_tel_data *d, const char *str)
> {
> + const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
> d->type = TEL_STRING;
> - d->data_len = strlcpy(d->data.str, str, sizeof(d->data.str));
> - if (d->data_len >= RTE_TEL_MAX_SINGLE_STRING_LEN) {
> + if (len >= RTE_TEL_MAX_SINGLE_STRING_LEN) {
> d->data_len = RTE_TEL_MAX_SINGLE_STRING_LEN - 1;
> return E2BIG; /* not necessarily and error, just truncation */
> }
> + d->data_len = (unsigned int)len;
> return 0;
> }
>
> --
> 1.8.3.1
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] telemetry: avoid truncation of strlcpy return before check
2023-08-02 21:21 [PATCH] telemetry: avoid truncation of strlcpy return before check Tyler Retzlaff
2023-08-03 8:15 ` Bruce Richardson
@ 2023-08-08 2:24 ` lihuisong (C)
2023-08-08 17:59 ` Tyler Retzlaff
1 sibling, 1 reply; 7+ messages in thread
From: lihuisong (C) @ 2023-08-08 2:24 UTC (permalink / raw)
To: Tyler Retzlaff, dev; +Cc: Ciara Power, bruce.richardson, lihuisong
在 2023/8/3 5:21, Tyler Retzlaff 写道:
> strlcpy returns type size_t when directly assigning to
> struct rte_tel_data data_len field it may be truncated leading to
> compromised length check that follows
>
> Since the limit in the check is < UINT_MAX the value returned is
> safe to be cast to unsigned int (which may be narrower than size_t)
> but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
>
> Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
> ---
> lib/telemetry/telemetry_data.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
> index 3b1a240..52307cb 100644
> --- a/lib/telemetry/telemetry_data.c
> +++ b/lib/telemetry/telemetry_data.c
> @@ -41,12 +41,13 @@
> int
> rte_tel_data_string(struct rte_tel_data *d, const char *str)
> {
> + const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
sizeof(d->data.str) is equal to RTE_TEL_MAX_SINGLE_STRING_LEN(8192).
So It seems that this truncation probably will not happen.
> d->type = TEL_STRING;
> - d->data_len = strlcpy(d->data.str, str, sizeof(d->data.str));
> - if (d->data_len >= RTE_TEL_MAX_SINGLE_STRING_LEN) {
> + if (len >= RTE_TEL_MAX_SINGLE_STRING_LEN) {
> d->data_len = RTE_TEL_MAX_SINGLE_STRING_LEN - 1;
> return E2BIG; /* not necessarily and error, just truncation */
> }
> + d->data_len = (unsigned int)len;
> return 0;
> }
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] telemetry: avoid truncation of strlcpy return before check
2023-08-08 2:24 ` lihuisong (C)
@ 2023-08-08 17:59 ` Tyler Retzlaff
2023-08-08 18:35 ` Bruce Richardson
0 siblings, 1 reply; 7+ messages in thread
From: Tyler Retzlaff @ 2023-08-08 17:59 UTC (permalink / raw)
To: lihuisong (C); +Cc: dev, Ciara Power, bruce.richardson
On Tue, Aug 08, 2023 at 10:24:41AM +0800, lihuisong (C) wrote:
>
> 在 2023/8/3 5:21, Tyler Retzlaff 写道:
> >strlcpy returns type size_t when directly assigning to
> >struct rte_tel_data data_len field it may be truncated leading to
> >compromised length check that follows
> >
> >Since the limit in the check is < UINT_MAX the value returned is
> >safe to be cast to unsigned int (which may be narrower than size_t)
> >but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
> >
> >Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
> >---
> > lib/telemetry/telemetry_data.c | 5 +++--
> > 1 file changed, 3 insertions(+), 2 deletions(-)
> >
> >diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
> >index 3b1a240..52307cb 100644
> >--- a/lib/telemetry/telemetry_data.c
> >+++ b/lib/telemetry/telemetry_data.c
> >@@ -41,12 +41,13 @@
> > int
> > rte_tel_data_string(struct rte_tel_data *d, const char *str)
> > {
> >+ const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
> sizeof(d->data.str) is equal to RTE_TEL_MAX_SINGLE_STRING_LEN(8192).
> So It seems that this truncation probably will not happen.
agreed, regardless the data type choices permit a size that exceeds the
range of the narrower type and the assignment results in a warning being
generated on some targets. that's why the truncating cast is safe to
add.
none of this would be necessary if data_len had been appropriately typed
as size_t. Bruce should we be changing the type instead since we are in
23.11 merge window...?
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] telemetry: avoid truncation of strlcpy return before check
2023-08-08 17:59 ` Tyler Retzlaff
@ 2023-08-08 18:35 ` Bruce Richardson
2024-02-01 11:45 ` David Marchand
0 siblings, 1 reply; 7+ messages in thread
From: Bruce Richardson @ 2023-08-08 18:35 UTC (permalink / raw)
To: Tyler Retzlaff; +Cc: lihuisong (C), dev, Ciara Power
On Tue, Aug 08, 2023 at 10:59:37AM -0700, Tyler Retzlaff wrote:
> On Tue, Aug 08, 2023 at 10:24:41AM +0800, lihuisong (C) wrote:
> >
> > 在 2023/8/3 5:21, Tyler Retzlaff 写道:
> > >strlcpy returns type size_t when directly assigning to
> > >struct rte_tel_data data_len field it may be truncated leading to
> > >compromised length check that follows
> > >
> > >Since the limit in the check is < UINT_MAX the value returned is
> > >safe to be cast to unsigned int (which may be narrower than size_t)
> > >but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
> > >
> > >Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
> > >---
> > > lib/telemetry/telemetry_data.c | 5 +++--
> > > 1 file changed, 3 insertions(+), 2 deletions(-)
> > >
> > >diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
> > >index 3b1a240..52307cb 100644
> > >--- a/lib/telemetry/telemetry_data.c
> > >+++ b/lib/telemetry/telemetry_data.c
> > >@@ -41,12 +41,13 @@
> > > int
> > > rte_tel_data_string(struct rte_tel_data *d, const char *str)
> > > {
> > >+ const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
> > sizeof(d->data.str) is equal to RTE_TEL_MAX_SINGLE_STRING_LEN(8192).
> > So It seems that this truncation probably will not happen.
>
> agreed, regardless the data type choices permit a size that exceeds the
> range of the narrower type and the assignment results in a warning being
> generated on some targets. that's why the truncating cast is safe to
> add.
>
> none of this would be necessary if data_len had been appropriately typed
> as size_t. Bruce should we be changing the type instead since we are in
> 23.11 merge window...?
>
I'm fine either way, to be honest.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] telemetry: avoid truncation of strlcpy return before check
2023-08-08 18:35 ` Bruce Richardson
@ 2024-02-01 11:45 ` David Marchand
2024-02-01 16:42 ` Tyler Retzlaff
0 siblings, 1 reply; 7+ messages in thread
From: David Marchand @ 2024-02-01 11:45 UTC (permalink / raw)
To: Bruce Richardson, Tyler Retzlaff; +Cc: lihuisong (C), dev, Ciara Power
On Tue, Aug 8, 2023 at 8:35 PM Bruce Richardson
<bruce.richardson@intel.com> wrote:
>
> On Tue, Aug 08, 2023 at 10:59:37AM -0700, Tyler Retzlaff wrote:
> > On Tue, Aug 08, 2023 at 10:24:41AM +0800, lihuisong (C) wrote:
> > >
> > > 在 2023/8/3 5:21, Tyler Retzlaff 写道:
> > > >strlcpy returns type size_t when directly assigning to
> > > >struct rte_tel_data data_len field it may be truncated leading to
> > > >compromised length check that follows
> > > >
> > > >Since the limit in the check is < UINT_MAX the value returned is
> > > >safe to be cast to unsigned int (which may be narrower than size_t)
> > > >but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
> > > >
> > > >Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
> > > >---
> > > > lib/telemetry/telemetry_data.c | 5 +++--
> > > > 1 file changed, 3 insertions(+), 2 deletions(-)
> > > >
> > > >diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
> > > >index 3b1a240..52307cb 100644
> > > >--- a/lib/telemetry/telemetry_data.c
> > > >+++ b/lib/telemetry/telemetry_data.c
> > > >@@ -41,12 +41,13 @@
> > > > int
> > > > rte_tel_data_string(struct rte_tel_data *d, const char *str)
> > > > {
> > > >+ const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
> > > sizeof(d->data.str) is equal to RTE_TEL_MAX_SINGLE_STRING_LEN(8192).
> > > So It seems that this truncation probably will not happen.
> >
> > agreed, regardless the data type choices permit a size that exceeds the
> > range of the narrower type and the assignment results in a warning being
> > generated on some targets. that's why the truncating cast is safe to
> > add.
> >
> > none of this would be necessary if data_len had been appropriately typed
> > as size_t. Bruce should we be changing the type instead since we are in
> > 23.11 merge window...?
> >
> I'm fine either way, to be honest.
Can we conclude?
struct rte_tel_data seems internal (at least opaque from an
application pov), so I suppose the option of changing data_len to
size_t is still on the table.
And we are missing a Fixes: tag too.
Thanks.
--
David Marchand
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] telemetry: avoid truncation of strlcpy return before check
2024-02-01 11:45 ` David Marchand
@ 2024-02-01 16:42 ` Tyler Retzlaff
0 siblings, 0 replies; 7+ messages in thread
From: Tyler Retzlaff @ 2024-02-01 16:42 UTC (permalink / raw)
To: David Marchand; +Cc: Bruce Richardson, lihuisong (C), dev, Ciara Power
On Thu, Feb 01, 2024 at 12:45:43PM +0100, David Marchand wrote:
> On Tue, Aug 8, 2023 at 8:35 PM Bruce Richardson
> <bruce.richardson@intel.com> wrote:
> >
> > On Tue, Aug 08, 2023 at 10:59:37AM -0700, Tyler Retzlaff wrote:
> > > On Tue, Aug 08, 2023 at 10:24:41AM +0800, lihuisong (C) wrote:
> > > >
> > > > 在 2023/8/3 5:21, Tyler Retzlaff 写道:
> > > > >strlcpy returns type size_t when directly assigning to
> > > > >struct rte_tel_data data_len field it may be truncated leading to
> > > > >compromised length check that follows
> > > > >
> > > > >Since the limit in the check is < UINT_MAX the value returned is
> > > > >safe to be cast to unsigned int (which may be narrower than size_t)
> > > > >but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
> > > > >
> > > > >Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
> > > > >---
> > > > > lib/telemetry/telemetry_data.c | 5 +++--
> > > > > 1 file changed, 3 insertions(+), 2 deletions(-)
> > > > >
> > > > >diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
> > > > >index 3b1a240..52307cb 100644
> > > > >--- a/lib/telemetry/telemetry_data.c
> > > > >+++ b/lib/telemetry/telemetry_data.c
> > > > >@@ -41,12 +41,13 @@
> > > > > int
> > > > > rte_tel_data_string(struct rte_tel_data *d, const char *str)
> > > > > {
> > > > >+ const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
> > > > sizeof(d->data.str) is equal to RTE_TEL_MAX_SINGLE_STRING_LEN(8192).
> > > > So It seems that this truncation probably will not happen.
> > >
> > > agreed, regardless the data type choices permit a size that exceeds the
> > > range of the narrower type and the assignment results in a warning being
> > > generated on some targets. that's why the truncating cast is safe to
> > > add.
> > >
> > > none of this would be necessary if data_len had been appropriately typed
> > > as size_t. Bruce should we be changing the type instead since we are in
> > > 23.11 merge window...?
> > >
> > I'm fine either way, to be honest.
>
> Can we conclude?
> struct rte_tel_data seems internal (at least opaque from an
> application pov), so I suppose the option of changing data_len to
> size_t is still on the table.
>
> And we are missing a Fixes: tag too.
there is actually a general pattern of this problem across dpdk tree and
this fixes one instance.
i've marked the patch as rejected for now and hope to come back with a
more comprehensive series after msvc work is merged.
ty
>
> Thanks.
>
> --
> David Marchand
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2024-02-01 16:42 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-08-02 21:21 [PATCH] telemetry: avoid truncation of strlcpy return before check Tyler Retzlaff
2023-08-03 8:15 ` Bruce Richardson
2023-08-08 2:24 ` lihuisong (C)
2023-08-08 17:59 ` Tyler Retzlaff
2023-08-08 18:35 ` Bruce Richardson
2024-02-01 11:45 ` David Marchand
2024-02-01 16:42 ` Tyler Retzlaff
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).