From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by dpdk.org (Postfix) with ESMTP id 2A4001B645; Fri, 8 Feb 2019 18:04:24 +0100 (CET) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6A1D159459; Fri, 8 Feb 2019 17:04:23 +0000 (UTC) Received: from dhcp-25.97.bos.redhat.com (unknown [10.18.25.61]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C4356600C4; Fri, 8 Feb 2019 17:04:22 +0000 (UTC) From: Aaron Conole To: Pallantla Poornima Cc: dev@dpdk.org, reshma.pattan@intel.com, ferruh.yigit@intel.com, stable@dpdk.org References: <1549632457-15892-1-git-send-email-pallantlax.poornima@intel.com> Date: Fri, 08 Feb 2019 12:04:22 -0500 In-Reply-To: <1549632457-15892-1-git-send-email-pallantlax.poornima@intel.com> (Pallantla Poornima's message of "Fri, 8 Feb 2019 13:27:37 +0000") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Fri, 08 Feb 2019 17:04:23 +0000 (UTC) Subject: Re: [dpdk-dev] [PATCH] test: fix sprintf with snprintf X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Feb 2019 17:04:24 -0000 Pallantla Poornima writes: > sprintf function is not secure as it doesn't check the length of string. > More secure function snprintf is used. > > Fixes: 727909c592 ("app/test: introduce dynamic commands list") > Cc: stable@dpdk.org > > Signed-off-by: Pallantla Poornima > --- > test/test/commands.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/test/test/commands.c b/test/test/commands.c > index 94fbc310e..5aeb35498 100644 > --- a/test/test/commands.c > +++ b/test/test/commands.c > @@ -367,6 +367,8 @@ int commands_init(void) > struct test_command *t; > char *commands, *ptr; > int commands_len = 0; > + int total_written = 0; > + int count = 0; > > TAILQ_FOREACH(t, &commands_list, next) { > commands_len += strlen(t->command) + 1; > @@ -378,7 +380,10 @@ int commands_init(void) > > ptr = commands; > TAILQ_FOREACH(t, &commands_list, next) { > - ptr += sprintf(ptr, "%s#", t->command); > + count = snprintf(ptr, commands_len - total_written - 1, "%s#", > + t->command); > + ptr += count; This code is wrong. From the manpage: Upon successful completion, the snprintf() function shall return the number of bytes that would be written to s had n been sufficiently large excluding the terminating null byte. This code you've placed will improperly increment the number of bytes taken, since you don't actually check it. Additionally, the correct size is calculated in the preceeding blocks, and then the appropriately sized block is allocated. It doesn't make any sense to make the change this way. If you are intent on changing this code, I suggest something like the following (completely untested code). The rte_xsprintf() function can be used in other areas where you're proposing these refactors (but again see my earlier comments about whether these are actual concerns, or just 'I dislike the sprintf call'). --- diff --git a/lib/librte_eal/common/include/rte_string_fns.h b/lib/librte_eal/common/include/rte_string_fns.h index 9a2a1ff90..3554c496a 100644 --- a/lib/librte_eal/common/include/rte_string_fns.h +++ b/lib/librte_eal/common/include/rte_string_fns.h @@ -98,6 +98,41 @@ rte_strlcpy(char *dst, const char *src, size_t size) ssize_t rte_strscpy(char *dst, const char *src, size_t dsize); +/* Find a better place for this? */ +#define ALWAYS_ASSERT(expr) \ + if (!(expr)) rte_panic("Assert failed: %s", #expr) + +/** + * Allocates an appropriately sized string and fills it with + * formatted output. Aborts if no memory can be allocated. + * + * @param fmt + * The format string. See the documentation for printf + * for valid format strings. + * + * @return + * A string filled with formatted output. Caller must release + * this memory with a call to free(). + */ +static inline char * +rte_xsprintf(const char *fmt, ...) +{ + va_list args,args2; + size_t needed; + char *result; + + va_start(args, fmt); + va_copy(args2, args); + needed = vsnprintf(NULL, 0, fmt, args); + result = malloc(needed+1); + ALWAYS_ASSERT(result != NULL); + vsnprintf(result, needed+1, fmt, args2); + va_end(args2); + va_end(args); + + return result; +} + #ifdef __cplusplus } #endif diff --git a/test/test/commands.c b/test/test/commands.c index 94fbc310e..eba96b9c9 100644 --- a/test/test/commands.c +++ b/test/test/commands.c @@ -365,24 +365,19 @@ cmdline_parse_ctx_t main_ctx[] = { int commands_init(void) { struct test_command *t; - char *commands, *ptr; - int commands_len = 0; + char *ptr = NULL, *old; TAILQ_FOREACH(t, &commands_list, next) { - commands_len += strlen(t->command) + 1; - } - - commands = malloc(commands_len + 1); - if (!commands) - return -1; + if (!ptr) { + ptr = xprintf("%s", t->command); + continue; + } - ptr = commands; - TAILQ_FOREACH(t, &commands_list, next) { - ptr += sprintf(ptr, "%s#", t->command); + old = ptr; + ptr = xprintf("%s#%s", old, t->command); + free(old); } - ptr--; - ptr[0] = '\0'; - cmd_autotest_autotest.string_data.str = commands; + cmd_autotest_autotest.string_data.str = ptr; return 0; } ---