Various fixes related to string copying #681
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alejandro-colomar
force-pushed
the
strlcpy
branch
from
81983d3
to
927fb93
Compare
|
Changes:
|
alejandro-colomar
force-pushed
the
strlcpy
branch
from
927fb93
to
a846241
Compare
|
Changes:
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
alejandro-colomar
force-pushed
the
strlcpy
branch
from
a846241
to
bc55eae
Compare
|
Changes:
|
|
Hi Iker, Paul,
On 3/17/23 11:52, Iker Pedrosa wrote:
@ikerexxe commented on this pull request.
Only a minor question.
> }
+
+ tm = gmtime(&t);
+ if (tm == NULL) {
+ (void) strlcpy(buf, "future", size);
Why do you assume this is `future`? I'm checking the documentation and I haven't found any reference to it.
Hmm, I'm not sure. This was done by Paul (although I modified the
implementation), who knows the time APIs much better than me, so I've
CCed him. From what I can see, the only error documented in gmtime(3) is:
ERRORS
EOVERFLOW
The result cannot be represented.
Paul, does EOVERFLOW always correspond to far-future times?
Cheers,
Alex
…
> }
+
+ tm = gmtime(&t);
There's no risk here as we only have one thread, so I'm dismissing the alert.
--
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5
|
|
On 3/17/23 09:29, Alejandro Colomar wrote:
Paul, does EOVERFLOW always correspond to far-future times?
It does if the time is nonnegative, which as I recall is the case here.
|
|
On 3/17/23 22:41, Paul Eggert wrote:
On 3/17/23 09:29, Alejandro Colomar wrote:
> Paul, does EOVERFLOW always correspond to far-future times?
It does if the time is nonnegative, which as I recall is the case here.
Thanks! Yes, that's the case.
…--
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5
|
ikerexxe
approved these changes
Mar 20, 2023
* lib/fields.c (change_field): Since we know the string fits, use strcpy(3) rather than strlcpy(3). Signed-off-by: Paul Eggert <eggert@cs.ucla.edu> Signed-off-by: Alejandro Colomar <alx@kernel.org> Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
* fields.c (change_field): Omit unnecessary test. Signed-off-by: Paul Eggert <eggert@cs.ucla.edu> Signed-off-by: Alejandro Colomar <alx@kernel.org> Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
* lib/fields.c (change_field): Don't point before array start; that has undefined behavior. Signed-off-by: Paul Eggert <eggert@cs.ucla.edu> Signed-off-by: Alejandro Colomar <alx@kernel.org> Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
* lib/gshadow.c (sgetsgent): Use strcpy(3) not strlcpy(3), since the string is known to fit. Signed-off-by: Paul Eggert <eggert@cs.ucla.edu> Signed-off-by: Alejandro Colomar <alx@kernel.org> Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
* libmisc/date_to_str.c (date_to_str): Do not crash if gmtime(3) returns NULL because the timestamp is far in the future. Reported-by: Paul Eggert <eggert@cs.ucla.edu> Co-developed-by: Paul Eggert <eggert@cs.ucla.edu> Signed-off-by: Alejandro Colomar <alx@kernel.org> Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org> Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
* libmisc/utmp.c (is_my_tty): Declare the parameter as a char array, not char *, as it is not necessarily null-terminated. Avoid a read overrun when reading 'tty', which comes from 'ut_utname'. Reported-by: Paul Eggert <eggert@cs.ucla.edu> Co-developed-by: Paul Eggert <eggert@cs.ucla.edu> Signed-off-by: Alejandro Colomar <alx@kernel.org> Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
This commit will serve to document why we shouldn't worry about the truncation in the call to strlcpy(3). Since we have one more byte in tmptty than in full_tty, truncation will produce a string that is at least one byte longer than full_tty. Such a string could never compare equal, so we're actually handling the truncation in a clever way. Maybe too clever, but that's why I'm documenting it here. Now, about the simplification itself: Since we made sure that both full_tty and tmptty are null-terminated, we can call strcmp(3) instead of strncmp(3). We can also simplify the return logic avoiding one branch. Cc: Paul Eggert <eggert@cs.ucla.edu> Signed-off-by: Alejandro Colomar <alx@kernel.org> Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
* src/su.c (check_perms): Do not silently truncate user name. Reported-by: Paul Eggert <eggert@cs.ucla.edu> Co-developed-by: Paul Eggert <eggert@cs.ucla.edu> Signed-off-by: Alejandro Colomar <alx@kernel.org> Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
alejandro-colomar
force-pushed
the
strlcpy
branch
from
bc55eae
to
1c0e012
Compare
|
Changes:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This consists of some patches from @eggert, and some patches of mine which have been more or less based on his suggestions. See the origin of the discussion at Debbugs: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032393#159.
I didn't intend to remove strlcpy(3), since the bugs are independent of the use of strlcpy(3). I opted for fixing the bugs, and keeping strlcpy(3) where it's (IMO) the most appropriate call.
We might want to drop strlcpy(3), but I think that should be addressed separately, and after having fixed the bugs.
There's one patch from Paul that I didn't take or write an alternative, and that's because I didn't yet understand it. It's
Avoid silent truncation of console file data(see Debbugs above).