From: Bruce Richardson <bruce.richardson@intel.com>
To: "Gaëtan Rivet" <grive@u256.net>
Cc: Ferruh Yigit <ferruh.yigit@intel.com>,
Olivier Matz <olivier.matz@6wind.com>,
Ciara Loftus <ciara.loftus@intel.com>,
dev@dpdk.org
Subject: Re: [dpdk-dev] [PATCH] net/af_xdp: use snprintf instead of strncpy
Date: Fri, 9 Oct 2020 11:49:42 +0100 [thread overview]
Message-ID: <20201009104942.GB1474@bricha3-MOBL.ger.corp.intel.com> (raw)
In-Reply-To: <20201009103630.jicsmryvgsxc72bl@u256.net>
On Fri, Oct 09, 2020 at 12:36:30PM +0200, Gaëtan Rivet wrote:
> On 07/10/20 12:45 +0100, Ferruh Yigit wrote:
> > On 10/7/2020 11:28 AM, Bruce Richardson wrote:
> > > On Wed, Oct 07, 2020 at 11:26:38AM +0100, Bruce Richardson wrote:
> > > > On Wed, Oct 07, 2020 at 11:51:31AM +0200, Olivier Matz wrote:
> > > > > On Wed, Oct 07, 2020 at 10:40:32AM +0100, Ferruh Yigit wrote:
> > > > > > On 10/7/2020 10:01 AM, Ciara Loftus wrote:
> > > > > > > strncpy may leave the destination buffer not NULL terminated so use
> > > > > > > snprintf instead.
> > > > > >
> > > > > > What do you think using 'strlcpy'?
> > > > >
> > > > > Or even better, rte_strscpy()
> > > > > https://git.dpdk.org/dpdk/commit/?id=b0236c7cf761
> > > > >
> > > > I think this is largely a matter of preference, and unless there is a good
> > > > reason not to, I tend towards strlcpy as the older and more common (till
> > > > now) interface. The main thing is just to use a function that will
> > > > guarantee dest is null-terminated here, and both strlcpy and strscpy meet
> > > > that criteria.
> > > >
> > > I'd also add that strlcpy is more likely to be recognised by tools like
> > > coverity, compared to rte_strscpy which is DPDK-specific.
> > >
> >
> > +1 to 'strlcpy'
>
> Using strlcpy will be more recognized by static analyzer indeed.
>
> But strscpy API is better:
>
> * It helps checking string truncation by making it easier:
>
> if (strlcpy(dst, src, dstsize) >= dstsize)
> /* Dev + reviewer needs to think about using >= and not >, dstsize is
> * repeated so either dst is an array or it needs a dedicated variable.
> * Deal with truncation.
> */
>
> if (rte_strscpy(dst, src, dstsize) < 0)
> /* deal with truncation. */
>
> * It is safer when dealing with unknown data source. strlcpy will always
> read all of src, because the API (uselessly) defines the return value
> to strlen(src).
>
> Having yet another string copy function is contentious, but we can avoid
> using worse API to please tools.
>
> And detecting string truncation *is* helpful. String are used as IDs in
> DPDK for some objects. Using strlcpy / snprintf at least protects from
> buffer overflow, which is a bare minimum. A good implementation would
> also warn the user about a config error / memory corruption happening
> sooner.
>
> In any case, sure to fix a sanity check strlcpy / snprintf will work.
>
Yes.
My main issue with strscpy right now is that it's got to be a DPDK-specific
function, since AFAIK it's defined in no standard C library, just in the
Linux kernel. If we get strscpy added to e.g. glibc, then we can see about
starting to use it - letting meson do the work of detect if it's present
and allowing us to define a fallback only in case it's not (i.e. as is done
with strlcpy).
next prev parent reply other threads:[~2020-10-09 10:49 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-07 9:01 Ciara Loftus
2020-10-07 9:40 ` Ferruh Yigit
2020-10-07 9:51 ` Olivier Matz
2020-10-07 10:26 ` Bruce Richardson
2020-10-07 10:28 ` Bruce Richardson
2020-10-07 11:45 ` Ferruh Yigit
2020-10-09 10:36 ` Gaëtan Rivet
2020-10-09 10:49 ` Bruce Richardson [this message]
2020-10-09 10:59 ` Ferruh Yigit
2020-10-09 16:37 ` Gaëtan Rivet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201009104942.GB1474@bricha3-MOBL.ger.corp.intel.com \
--to=bruce.richardson@intel.com \
--cc=ciara.loftus@intel.com \
--cc=dev@dpdk.org \
--cc=ferruh.yigit@intel.com \
--cc=grive@u256.net \
--cc=olivier.matz@6wind.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).