diff options
author | Martin Pool <mbp@samba.org> | 2002-01-14 06:15:07 +0000 |
---|---|---|
committer | Martin Pool <mbp@samba.org> | 2002-01-14 06:15:07 +0000 |
commit | 1b6c848c1063a2a99d0d7515a6b0af61e7c59cf3 (patch) | |
tree | aae2842e34b98d49b1bc4eaa516776c869fb18b7 | |
parent | cb4658d41951cd612e0c88e2829f6e1f2fae30e1 (diff) | |
download | samba-1b6c848c1063a2a99d0d7515a6b0af61e7c59cf3.tar.gz samba-1b6c848c1063a2a99d0d7515a6b0af61e7c59cf3.tar.bz2 samba-1b6c848c1063a2a99d0d7515a6b0af61e7c59cf3.zip |
PSTRING_SANCTIFY:
If you define this, pstring and fstring become distinguished types, so
that it's harder to accidentally overflow them by for example passing
an fstring on the lhs of pstrcpy.
The types are defined as one-element union arrays so that with
"fstring f" the name "f" will be a pointer and with a big hammer you
can cast it to (char *). So code that tries to just use it directly
will get a loud warning, but hopefully nothing worse.
To pass them to non-pstring-aware functions, use PSTR and check that
the function takes a const. They should almost never be modified
except by special calls. In those unusual cases, use PSTR_MUTABLE.
This is off by default so as not to produce too many warnings. As the
code is vetted it can become the default.
(This used to be commit ca233bc8b30d7d0626039b2769c4e1ae92dafd50)
-rw-r--r-- | source3/include/smb.h | 53 |
1 files changed, 50 insertions, 3 deletions
diff --git a/source3/include/smb.h b/source3/include/smb.h index 98d958507f..4a9a6ccd3b 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -1,11 +1,12 @@ /* Unix SMB/Netbios implementation. - Version 1.9. - SMB parameters and setup + SMB parameters and setup, plus a whole lot more. + Copyright (C) Andrew Tridgell 1992-2000 Copyright (C) John H Terpstra 1996-2000 Copyright (C) Luke Kenneth Casson Leighton 1996-2000 Copyright (C) Paul Ashton 1998-2000 + Copyright (C) Martin Pool 2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -154,17 +155,63 @@ implemented */ #include "doserr.h" + + #ifndef _PSTRING #define PSTRING_LEN 1024 #define FSTRING_LEN 256 +#ifdef PSTRING_SANCTIFY + +/* If you define this, pstring and fstring become distinguished types, + * so that it's harder to accidentally overflow them by for example + * passing an fstring on the lhs of pstrcpy. + * + * The types are defined as one-element union arrays so that with + * "fstring f" the name "f" will be a pointer and with a big hammer + * you can cast it to (char *). So code that tries to just use it + * directly will get a loud warning, but hopefully nothing worse. + * + * To pass them to non-pstring-aware functions, use PSTR and check + * that the function takes a const. They should almost never be + * modified except by special calls. In those unusual cases, use + * PSTR_MUTABLE. + * + * This is off by default so as not to produce too many warnings. As + * the code is vetted it can become the default. */ + +typedef union { char pstring_contents[PSTRING_LEN]; } pstring[1]; +typedef union { char fstring_contents[FSTRING_LEN]; } fstring[1]; + +# define PSTR(p) ((const char *) ((p)->pstring_contents)) +# define FSTR(f) ((const char *) ((f)->fstring_contents)) + +/* You should not normally use these. Instead, use pstrcpy, etc. */ +# define PSTR_MUTABLE(p) ((p)->pstring_contents) +# define FSTR_MUTABLE(f) ((f)->fstring_contents) + +/* See also safe_string.h */ + +#else /* ndef PSTRING_SANCTIFY */ + +/* Old interface. */ + typedef char pstring[PSTRING_LEN]; typedef char fstring[FSTRING_LEN]; +#define PSTR(p) (p) +#define FSTR(f) (f) +#define PSTR_MUTABLE(p) (p) +#define FSTR_MUTABLE(f) (f) + +#endif /* ndef PSTRING_SANCTIFY */ + #define _PSTRING -#endif +#endif /* ndef _PSTRING */ + + /* * SMB UCS2 (16-bit unicode) internal type. |