DPDK patches and discussions
 help / color / mirror / Atom feed
* [PATCH] telemetry: avoid truncation of strlcpy return before check
@ 2023-08-02 21:21 Tyler Retzlaff
  2023-08-03  8:15 ` Bruce Richardson
  2023-08-08  2:24 ` lihuisong (C)
  0 siblings, 2 replies; 7+ messages in thread
From: Tyler Retzlaff @ 2023-08-02 21:21 UTC (permalink / raw)
  To: dev; +Cc: Ciara Power, bruce.richardson, Tyler Retzlaff

strlcpy returns type size_t when directly assigning to
struct rte_tel_data data_len field it may be truncated leading to
compromised length check that follows

Since the limit in the check is < UINT_MAX the value returned is
safe to be cast to unsigned int (which may be narrower than size_t)
but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN

Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
---
 lib/telemetry/telemetry_data.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
index 3b1a240..52307cb 100644
--- a/lib/telemetry/telemetry_data.c
+++ b/lib/telemetry/telemetry_data.c
@@ -41,12 +41,13 @@
 int
 rte_tel_data_string(struct rte_tel_data *d, const char *str)
 {
+	const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
 	d->type = TEL_STRING;
-	d->data_len = strlcpy(d->data.str, str, sizeof(d->data.str));
-	if (d->data_len >= RTE_TEL_MAX_SINGLE_STRING_LEN) {
+	if (len >= RTE_TEL_MAX_SINGLE_STRING_LEN) {
 		d->data_len = RTE_TEL_MAX_SINGLE_STRING_LEN - 1;
 		return E2BIG; /* not necessarily and error, just truncation */
 	}
+	d->data_len = (unsigned int)len;
 	return 0;
 }
 
-- 
1.8.3.1


^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH] telemetry: avoid truncation of strlcpy return before check
  2023-08-02 21:21 [PATCH] telemetry: avoid truncation of strlcpy return before check Tyler Retzlaff
@ 2023-08-03  8:15 ` Bruce Richardson
  2023-08-08  2:24 ` lihuisong (C)
  1 sibling, 0 replies; 7+ messages in thread
From: Bruce Richardson @ 2023-08-03  8:15 UTC (permalink / raw)
  To: Tyler Retzlaff; +Cc: dev, Ciara Power

On Wed, Aug 02, 2023 at 02:21:01PM -0700, Tyler Retzlaff wrote:
> strlcpy returns type size_t when directly assigning to
> struct rte_tel_data data_len field it may be truncated leading to
> compromised length check that follows
> 
> Since the limit in the check is < UINT_MAX the value returned is
> safe to be cast to unsigned int (which may be narrower than size_t)
> but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
> 
> Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
> ---
Acked-by: Bruce Richardson <bruce.richardson@intel.com>

This probably should be marked as a fix for backport.

>  lib/telemetry/telemetry_data.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
> index 3b1a240..52307cb 100644
> --- a/lib/telemetry/telemetry_data.c
> +++ b/lib/telemetry/telemetry_data.c
> @@ -41,12 +41,13 @@
>  int
>  rte_tel_data_string(struct rte_tel_data *d, const char *str)
>  {
> +	const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
>  	d->type = TEL_STRING;
> -	d->data_len = strlcpy(d->data.str, str, sizeof(d->data.str));
> -	if (d->data_len >= RTE_TEL_MAX_SINGLE_STRING_LEN) {
> +	if (len >= RTE_TEL_MAX_SINGLE_STRING_LEN) {
>  		d->data_len = RTE_TEL_MAX_SINGLE_STRING_LEN - 1;
>  		return E2BIG; /* not necessarily and error, just truncation */
>  	}
> +	d->data_len = (unsigned int)len;
>  	return 0;
>  }
>  
> -- 
> 1.8.3.1
> 

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH] telemetry: avoid truncation of strlcpy return before check
  2023-08-02 21:21 [PATCH] telemetry: avoid truncation of strlcpy return before check Tyler Retzlaff
  2023-08-03  8:15 ` Bruce Richardson
@ 2023-08-08  2:24 ` lihuisong (C)
  2023-08-08 17:59   ` Tyler Retzlaff
  1 sibling, 1 reply; 7+ messages in thread
From: lihuisong (C) @ 2023-08-08  2:24 UTC (permalink / raw)
  To: Tyler Retzlaff, dev; +Cc: Ciara Power, bruce.richardson, lihuisong


在 2023/8/3 5:21, Tyler Retzlaff 写道:
> strlcpy returns type size_t when directly assigning to
> struct rte_tel_data data_len field it may be truncated leading to
> compromised length check that follows
>
> Since the limit in the check is < UINT_MAX the value returned is
> safe to be cast to unsigned int (which may be narrower than size_t)
> but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
>
> Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
> ---
>   lib/telemetry/telemetry_data.c | 5 +++--
>   1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
> index 3b1a240..52307cb 100644
> --- a/lib/telemetry/telemetry_data.c
> +++ b/lib/telemetry/telemetry_data.c
> @@ -41,12 +41,13 @@
>   int
>   rte_tel_data_string(struct rte_tel_data *d, const char *str)
>   {
> +	const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
sizeof(d->data.str) is equal to RTE_TEL_MAX_SINGLE_STRING_LEN(8192).
So It seems that this truncation probably will not happen.
>   	d->type = TEL_STRING;
> -	d->data_len = strlcpy(d->data.str, str, sizeof(d->data.str));
> -	if (d->data_len >= RTE_TEL_MAX_SINGLE_STRING_LEN) {
> +	if (len >= RTE_TEL_MAX_SINGLE_STRING_LEN) {
>   		d->data_len = RTE_TEL_MAX_SINGLE_STRING_LEN - 1;
>   		return E2BIG; /* not necessarily and error, just truncation */
>   	}
> +	d->data_len = (unsigned int)len;
>   	return 0;
>   }
>   

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH] telemetry: avoid truncation of strlcpy return before check
  2023-08-08  2:24 ` lihuisong (C)
@ 2023-08-08 17:59   ` Tyler Retzlaff
  2023-08-08 18:35     ` Bruce Richardson
  0 siblings, 1 reply; 7+ messages in thread
From: Tyler Retzlaff @ 2023-08-08 17:59 UTC (permalink / raw)
  To: lihuisong (C); +Cc: dev, Ciara Power, bruce.richardson

On Tue, Aug 08, 2023 at 10:24:41AM +0800, lihuisong (C) wrote:
> 
> 在 2023/8/3 5:21, Tyler Retzlaff 写道:
> >strlcpy returns type size_t when directly assigning to
> >struct rte_tel_data data_len field it may be truncated leading to
> >compromised length check that follows
> >
> >Since the limit in the check is < UINT_MAX the value returned is
> >safe to be cast to unsigned int (which may be narrower than size_t)
> >but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
> >
> >Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
> >---
> >  lib/telemetry/telemetry_data.c | 5 +++--
> >  1 file changed, 3 insertions(+), 2 deletions(-)
> >
> >diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
> >index 3b1a240..52307cb 100644
> >--- a/lib/telemetry/telemetry_data.c
> >+++ b/lib/telemetry/telemetry_data.c
> >@@ -41,12 +41,13 @@
> >  int
> >  rte_tel_data_string(struct rte_tel_data *d, const char *str)
> >  {
> >+	const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
> sizeof(d->data.str) is equal to RTE_TEL_MAX_SINGLE_STRING_LEN(8192).
> So It seems that this truncation probably will not happen.

agreed, regardless the data type choices permit a size that exceeds the
range of the narrower type and the assignment results in a warning being
generated on some targets. that's why the truncating cast is safe to
add.

none of this would be necessary if data_len had been appropriately typed
as size_t.  Bruce should we be changing the type instead since we are in
23.11 merge window...?


^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH] telemetry: avoid truncation of strlcpy return before check
  2023-08-08 17:59   ` Tyler Retzlaff
@ 2023-08-08 18:35     ` Bruce Richardson
  2024-02-01 11:45       ` David Marchand
  0 siblings, 1 reply; 7+ messages in thread
From: Bruce Richardson @ 2023-08-08 18:35 UTC (permalink / raw)
  To: Tyler Retzlaff; +Cc: lihuisong (C), dev, Ciara Power

On Tue, Aug 08, 2023 at 10:59:37AM -0700, Tyler Retzlaff wrote:
> On Tue, Aug 08, 2023 at 10:24:41AM +0800, lihuisong (C) wrote:
> > 
> > 在 2023/8/3 5:21, Tyler Retzlaff 写道:
> > >strlcpy returns type size_t when directly assigning to
> > >struct rte_tel_data data_len field it may be truncated leading to
> > >compromised length check that follows
> > >
> > >Since the limit in the check is < UINT_MAX the value returned is
> > >safe to be cast to unsigned int (which may be narrower than size_t)
> > >but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
> > >
> > >Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
> > >---
> > >  lib/telemetry/telemetry_data.c | 5 +++--
> > >  1 file changed, 3 insertions(+), 2 deletions(-)
> > >
> > >diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
> > >index 3b1a240..52307cb 100644
> > >--- a/lib/telemetry/telemetry_data.c
> > >+++ b/lib/telemetry/telemetry_data.c
> > >@@ -41,12 +41,13 @@
> > >  int
> > >  rte_tel_data_string(struct rte_tel_data *d, const char *str)
> > >  {
> > >+	const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
> > sizeof(d->data.str) is equal to RTE_TEL_MAX_SINGLE_STRING_LEN(8192).
> > So It seems that this truncation probably will not happen.
> 
> agreed, regardless the data type choices permit a size that exceeds the
> range of the narrower type and the assignment results in a warning being
> generated on some targets. that's why the truncating cast is safe to
> add.
> 
> none of this would be necessary if data_len had been appropriately typed
> as size_t.  Bruce should we be changing the type instead since we are in
> 23.11 merge window...?
> 
I'm fine either way, to be honest.

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH] telemetry: avoid truncation of strlcpy return before check
  2023-08-08 18:35     ` Bruce Richardson
@ 2024-02-01 11:45       ` David Marchand
  2024-02-01 16:42         ` Tyler Retzlaff
  0 siblings, 1 reply; 7+ messages in thread
From: David Marchand @ 2024-02-01 11:45 UTC (permalink / raw)
  To: Bruce Richardson, Tyler Retzlaff; +Cc: lihuisong (C), dev, Ciara Power

On Tue, Aug 8, 2023 at 8:35 PM Bruce Richardson
<bruce.richardson@intel.com> wrote:
>
> On Tue, Aug 08, 2023 at 10:59:37AM -0700, Tyler Retzlaff wrote:
> > On Tue, Aug 08, 2023 at 10:24:41AM +0800, lihuisong (C) wrote:
> > >
> > > 在 2023/8/3 5:21, Tyler Retzlaff 写道:
> > > >strlcpy returns type size_t when directly assigning to
> > > >struct rte_tel_data data_len field it may be truncated leading to
> > > >compromised length check that follows
> > > >
> > > >Since the limit in the check is < UINT_MAX the value returned is
> > > >safe to be cast to unsigned int (which may be narrower than size_t)
> > > >but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
> > > >
> > > >Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
> > > >---
> > > >  lib/telemetry/telemetry_data.c | 5 +++--
> > > >  1 file changed, 3 insertions(+), 2 deletions(-)
> > > >
> > > >diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
> > > >index 3b1a240..52307cb 100644
> > > >--- a/lib/telemetry/telemetry_data.c
> > > >+++ b/lib/telemetry/telemetry_data.c
> > > >@@ -41,12 +41,13 @@
> > > >  int
> > > >  rte_tel_data_string(struct rte_tel_data *d, const char *str)
> > > >  {
> > > >+  const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
> > > sizeof(d->data.str) is equal to RTE_TEL_MAX_SINGLE_STRING_LEN(8192).
> > > So It seems that this truncation probably will not happen.
> >
> > agreed, regardless the data type choices permit a size that exceeds the
> > range of the narrower type and the assignment results in a warning being
> > generated on some targets. that's why the truncating cast is safe to
> > add.
> >
> > none of this would be necessary if data_len had been appropriately typed
> > as size_t.  Bruce should we be changing the type instead since we are in
> > 23.11 merge window...?
> >
> I'm fine either way, to be honest.

Can we conclude?
struct rte_tel_data seems internal (at least opaque from an
application pov), so I suppose the option of changing data_len to
size_t is still on the table.

And we are missing a Fixes: tag too.

Thanks.

-- 
David Marchand


^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH] telemetry: avoid truncation of strlcpy return before check
  2024-02-01 11:45       ` David Marchand
@ 2024-02-01 16:42         ` Tyler Retzlaff
  0 siblings, 0 replies; 7+ messages in thread
From: Tyler Retzlaff @ 2024-02-01 16:42 UTC (permalink / raw)
  To: David Marchand; +Cc: Bruce Richardson, lihuisong (C), dev, Ciara Power

On Thu, Feb 01, 2024 at 12:45:43PM +0100, David Marchand wrote:
> On Tue, Aug 8, 2023 at 8:35 PM Bruce Richardson
> <bruce.richardson@intel.com> wrote:
> >
> > On Tue, Aug 08, 2023 at 10:59:37AM -0700, Tyler Retzlaff wrote:
> > > On Tue, Aug 08, 2023 at 10:24:41AM +0800, lihuisong (C) wrote:
> > > >
> > > > 在 2023/8/3 5:21, Tyler Retzlaff 写道:
> > > > >strlcpy returns type size_t when directly assigning to
> > > > >struct rte_tel_data data_len field it may be truncated leading to
> > > > >compromised length check that follows
> > > > >
> > > > >Since the limit in the check is < UINT_MAX the value returned is
> > > > >safe to be cast to unsigned int (which may be narrower than size_t)
> > > > >but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
> > > > >
> > > > >Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
> > > > >---
> > > > >  lib/telemetry/telemetry_data.c | 5 +++--
> > > > >  1 file changed, 3 insertions(+), 2 deletions(-)
> > > > >
> > > > >diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
> > > > >index 3b1a240..52307cb 100644
> > > > >--- a/lib/telemetry/telemetry_data.c
> > > > >+++ b/lib/telemetry/telemetry_data.c
> > > > >@@ -41,12 +41,13 @@
> > > > >  int
> > > > >  rte_tel_data_string(struct rte_tel_data *d, const char *str)
> > > > >  {
> > > > >+  const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
> > > > sizeof(d->data.str) is equal to RTE_TEL_MAX_SINGLE_STRING_LEN(8192).
> > > > So It seems that this truncation probably will not happen.
> > >
> > > agreed, regardless the data type choices permit a size that exceeds the
> > > range of the narrower type and the assignment results in a warning being
> > > generated on some targets. that's why the truncating cast is safe to
> > > add.
> > >
> > > none of this would be necessary if data_len had been appropriately typed
> > > as size_t.  Bruce should we be changing the type instead since we are in
> > > 23.11 merge window...?
> > >
> > I'm fine either way, to be honest.
> 
> Can we conclude?
> struct rte_tel_data seems internal (at least opaque from an
> application pov), so I suppose the option of changing data_len to
> size_t is still on the table.
> 
> And we are missing a Fixes: tag too.

there is actually a general pattern of this problem across dpdk tree and
this fixes one instance.

i've marked the patch as rejected for now and hope to come back with a
more comprehensive series after msvc work is merged.

ty

> 
> Thanks.
> 
> -- 
> David Marchand

^ permalink raw reply	[flat|nested] 7+ messages in thread
end of thread, other threads:[~2024-02-01 16:42 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-08-02 21:21 [PATCH] telemetry: avoid truncation of strlcpy return before check Tyler Retzlaff
2023-08-03  8:15 ` Bruce Richardson
2023-08-08  2:24 ` lihuisong (C)
2023-08-08 17:59   ` Tyler Retzlaff
2023-08-08 18:35     ` Bruce Richardson
2024-02-01 11:45       ` David Marchand
2024-02-01 16:42         ` Tyler Retzlaff

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).