diff options
author | Andrew Bartlett <abartlet@samba.org> | 2003-03-15 07:14:55 +0000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2003-03-15 07:14:55 +0000 |
commit | 3b5bc93e9db4df6ded2eef7b32bda74328b04811 (patch) | |
tree | a1eda3d3fa69f62a05414b4f0fff2f4520c81055 /source3/include | |
parent | 9a00acc472b3a9530ca71705faef3166aa9c4d47 (diff) | |
download | samba-3b5bc93e9db4df6ded2eef7b32bda74328b04811.tar.gz samba-3b5bc93e9db4df6ded2eef7b32bda74328b04811.tar.bz2 samba-3b5bc93e9db4df6ded2eef7b32bda74328b04811.zip |
String handling parinoia fixes.
This patch enables the compile-time checking of strings assable by means of
sizeof(). (Original code had the configure check reversed).
This is extended to all safe_strcpy() users, push_string and pull_string,
as well as the cli and srv derivitives. There is an attempt to cap strings
at the end of the cli buffer, and clobber_region() of the speified length
(when not -1 :-).
Becouse of the way they are declared, the 'overmalloc a string' users of
safe_strcpy() have been changed to use overmalloc_safe_strcpy() (which skips
some of the checks).
This whole ball of mud worked fine, until I pulled out my 'fix' for our
statcache. When jeremy fixes that, we should be able to get back to testing
this stuff.
This patch also includes a 'marker' of the last caller to clobber_region (ie,
the function that called pstrcpy() that called clobber_region) to assist in
debugging problems that may have smashed the stack. This is printed at
smb_panic() time. (Original idea and patch by metze).
It also removes some unsused functions, and #if 0's some others that are
unused but probably should be used in the near future.
For now, this patch gives us some confidence on one class of trivial parsing
error in our code.
Andrew Bartlett
(This used to be commit 31f4827acc2a2f00399a5528fc83a0dae5cebaf4)
Diffstat (limited to 'source3/include')
-rw-r--r-- | source3/include/includes.h | 1 | ||||
-rw-r--r-- | source3/include/safe_string.h | 161 | ||||
-rw-r--r-- | source3/include/srvstr.h | 36 |
3 files changed, 174 insertions, 24 deletions
diff --git a/source3/include/includes.h b/source3/include/includes.h index 25245e9c0c..2bba9d5084 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -855,6 +855,7 @@ struct printjob; /* String routines */ +#include "srvstr.h" #include "safe_string.h" #ifdef __COMPAR_FN_T diff --git a/source3/include/safe_string.h b/source3/include/safe_string.h index 6c2bd82bb9..c7386d3ac4 100644 --- a/source3/include/safe_string.h +++ b/source3/include/safe_string.h @@ -48,29 +48,45 @@ #endif /* !_SPLINT_ */ + char * __unsafe_string_function_usage_here__(void); -#ifdef HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS +size_t __unsafe_string_function_usage_here2__(void); -#define pstrcpy(d,s) ((sizeof(d) != sizeof(pstring) && sizeof(d) != sizeof(char *)) ? __unsafe_string_function_usage_here__() : safe_strcpy((d), (s),sizeof(pstring)-1)) -#define pstrcat(d,s) ((sizeof(d) != sizeof(pstring) && sizeof(d) != sizeof(char *)) ? __unsafe_string_function_usage_here__() : safe_strcat((d), (s),sizeof(pstring)-1)) -#define fstrcpy(d,s) ((sizeof(d) != sizeof(fstring) && sizeof(d) != sizeof(char *)) ? __unsafe_string_function_usage_here__() : safe_strcpy((d),(s),sizeof(fstring)-1)) -#define fstrcat(d,s) ((sizeof(d) != sizeof(fstring) && sizeof(d) != sizeof(char *)) ? __unsafe_string_function_usage_here__() : safe_strcat((d),(s),sizeof(fstring)-1)) +#ifdef HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS -#define fstrterminate(d) ((sizeof(d) != sizeof(fstring) && sizeof(d) != sizeof(char *)) ? __unsafe_string_function_usage_here__() : (((d)[sizeof(fstring)-1]) = '\0')) -#define pstrterminate(d) ((sizeof(d) != sizeof(pstring) && sizeof(d) != sizeof(char *)) ? __unsafe_string_function_usage_here__() : (((d)[sizeof(pstring)-1]) = '\0')) +/* if the compiler will optimize out function calls, then use this to tell if we are + have the correct types (this works only where sizeof() returns the size of the buffer, not + the size of the pointer). */ + +#define CHECK_STRING_SIZE(d, len) (sizeof(d) != (len) && sizeof(d) != sizeof(char *)) + +#define fstrterminate(d) (CHECK_STRING_SIZE(d, sizeof(fstring)) \ + ? __unsafe_string_function_usage_here__() \ + : (((d)[sizeof(fstring)-1]) = '\0')) +#define pstrterminate(d) (CHECK_STRING_SIZE(d, sizeof(pstring)) \ + ? __unsafe_string_function_usage_here__() \ + : (((d)[sizeof(pstring)-1]) = '\0')) + +#define wpstrcpy(d,s) ((sizeof(d) != sizeof(wpstring) && sizeof(d) != sizeof(smb_ucs2_t *)) \ + ? __unsafe_string_function_usage_here__() \ + : safe_strcpy_w((d),(s),sizeof(wpstring))) +#define wpstrcat(d,s) ((sizeof(d) != sizeof(wpstring) && sizeof(d) != sizeof(smb_ucs2_t *)) \ + ? __unsafe_string_function_usage_here__() \ + : safe_strcat_w((d),(s),sizeof(wpstring))) +#define wfstrcpy(d,s) ((sizeof(d) != sizeof(wfstring) && sizeof(d) != sizeof(smb_ucs2_t *)) \ + ? __unsafe_string_function_usage_here__() \ + : safe_strcpy_w((d),(s),sizeof(wfstring))) +#define wfstrcat(d,s) ((sizeof(d) != sizeof(wfstring) && sizeof(d) != sizeof(smb_ucs2_t *)) \ + ? __unsafe_string_function_usage_here__() \ + : safe_strcat_w((d),(s),sizeof(wfstring))) -#define wpstrcpy(d,s) ((sizeof(d) != sizeof(wpstring) && sizeof(d) != sizeof(smb_ucs2_t *)) ? __unsafe_string_function_usage_here__() : safe_strcpy_w((d),(s),sizeof(wpstring))) -#define wpstrcat(d,s) ((sizeof(d) != sizeof(wpstring) && sizeof(d) != sizeof(smb_ucs2_t *)) ? __unsafe_string_function_usage_here__() : safe_strcat_w((d),(s),sizeof(wpstring))) -#define wfstrcpy(d,s) ((sizeof(d) != sizeof(wfstring) && sizeof(d) != sizeof(smb_ucs2_t *)) ? __unsafe_string_function_usage_here__() : safe_strcpy_w((d),(s),sizeof(wfstring))) -#define wfstrcat(d,s) ((sizeof(d) != sizeof(wfstring) && sizeof(d) != sizeof(smb_ucs2_t *)) ? __unsafe_string_function_usage_here__() : safe_strcat_w((d),(s),sizeof(wfstring))) +#define push_pstring_base(dest, src, pstring_base) \ + (CHECK_STRING_SIZE(pstring_base, sizeof(pstring)) \ + ? __unsafe_string_function_usage_here2__() \ + : push_ascii(dest, src, sizeof(pstring)-PTR_DIFF(dest,pstring_base)-1, STR_TERMINATE)) -#else - -#define pstrcpy(d,s) safe_strcpy((d), (s),sizeof(pstring)-1) -#define pstrcat(d,s) safe_strcat((d), (s),sizeof(pstring)-1) -#define fstrcpy(d,s) safe_strcpy((d),(s),sizeof(fstring)-1) -#define fstrcat(d,s) safe_strcat((d),(s),sizeof(fstring)-1) +#else /* HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS */ #define fstrterminate(d) (((d)[sizeof(fstring)-1]) = '\0') #define pstrterminate(d) (((d)[sizeof(pstring)-1]) = '\0') @@ -80,12 +96,10 @@ char * __unsafe_string_function_usage_here__(void); #define wfstrcpy(d,s) safe_strcpy_w((d),(s),sizeof(wfstring)) #define wfstrcat(d,s) safe_strcat_w((d),(s),sizeof(wfstring)) -#endif +#define push_pstring_base(dest, src, pstring_base) \ + push_ascii(dest, src, sizeof(pstring)-PTR_DIFF(dest,pstring_base)-1, STR_TERMINATE) -/* replace some string functions with multi-byte - versions */ -#define strlower(s) strlower_m(s) -#define strupper(s) strupper_m(s) +#endif /* HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS */ /* the addition of the DEVELOPER checks in safe_strcpy means we must * update a lot of code. To make this a little easier here are some @@ -93,7 +107,106 @@ char * __unsafe_string_function_usage_here__(void); #define pstrcpy_base(dest, src, pstring_base) \ safe_strcpy(dest, src, sizeof(pstring)-PTR_DIFF(dest,pstring_base)-1) -#define push_pstring_base(dest, src, pstring_base) \ - push_ascii(dest, src, sizeof(pstring)-PTR_DIFF(dest,pstring_base)-1, STR_TERMINATE) + +/* String copy functions - macro hell below adds 'type checking' (limited, but the best we can + do in C) and may tag with function name/number to record the last 'clobber region' on + that string */ + +#define pstrcpy(d,s) safe_strcpy((d), (s),sizeof(pstring)-1) +#define pstrcat(d,s) safe_strcat((d), (s),sizeof(pstring)-1) +#define fstrcpy(d,s) safe_strcpy((d),(s),sizeof(fstring)-1) +#define fstrcat(d,s) safe_strcat((d),(s),sizeof(fstring)-1) + +/* the addition of the DEVELOPER checks in safe_strcpy means we must + * update a lot of code. To make this a little easier here are some + * functions that provide the lengths with less pain */ +#define pstrcpy_base(dest, src, pstring_base) \ + safe_strcpy(dest, src, sizeof(pstring)-PTR_DIFF(dest,pstring_base)-1) + + +/* inside the _fn varients of these is a call to 'clobber_region' - which might + destory the stack on a buggy function. Help the debugging process by putting + the function and line it was last called from into a static buffer + + But only for developers */ + +#ifdef DEVELOPER +#define overmalloc_safe_strcpy(dest,src,maxlength) safe_strcpy_fn(__FUNCTION__,__LINE__,dest,src,maxlength) +#define safe_strcpy(dest,src,maxlength) safe_strcpy_fn2(__FUNCTION__,__LINE__,dest,src,maxlength) +#define safe_strcat(dest,src,maxlength) safe_strcat_fn2(__FUNCTION__,__LINE__,dest,src,maxlength) +#define push_string(base_ptr, dest, src, dest_len, flags) push_string_fn2(__FUNCTION__, __LINE__, base_ptr, dest, src, dest_len, flags) +#define pull_string(base_ptr, dest, src, dest_len, src_len, flags) pull_string_fn2(__FUNCTION__, __LINE__, base_ptr, dest, src, dest_len, src_len, flags) +#define clistr_push(cli, dest, src, dest_len, flags) clistr_push_fn2(__FUNCTION__, __LINE__, cli, dest, src, dest_len, flags) +#define clistr_pull(cli, dest, src, dest_len, src_len, flags) clistr_pull_fn2(__FUNCTION__, __LINE__, cli, dest, src, dest_len, src_len, flags) + +#define alpha_strcpy(dest,src,other_safe_chars,maxlength) alpha_strcpy_fn(__FUNCTION__,__LINE__,dest,src,other_safe_chars,maxlength) +#define StrnCpy(dest,src,n) StrnCpy_fn(__FUNCTION__,__LINE__,dest,src,n) + +#else + +#define overmalloc_safe_strcpy(dest,src,maxlength) safe_strcpy_fn(NULL,0,dest,src,maxlength) +#define safe_strcpy(dest,src,maxlength) safe_strcpy_fn2(NULL,0,dest,src,maxlength) +#define safe_strcat(dest,src,maxlength) safe_strcat_fn2(NULL,0,dest,src,maxlength) +#define push_string(base_ptr, dest, src, dest_len, flags) push_string_fn2(NULL, 0, base_ptr, dest, src, dest_len, flags) +#define pull_string(base_ptr, dest, src, dest_len, src_len, flags) pull_string_fn2(NULL, 0, base_ptr, dest, src, dest_len, src_len, flags) +#define clistr_push(cli, dest, src, dest_len, flags) clistr_push_fn2(NULL, 0, cli, dest, src, dest_len, flags) +#define clistr_pull(cli, dest, src, dest_len, src_len, flags) clistr_push_fn2(NULL, 0, cli, dest, src, dest_len, src_len, flags) + +#define alpha_strcpy(dest,src,other_safe_chars,maxlength) alpha_strcpy_fn(NULL,0,dest,src,other_safe_chars,maxlength) +#define StrnCpy(dest,src,n) StrnCpy_fn(NULL,0,dest,src,n) +#endif /* DEVELOPER */ + + +#ifdef HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS + +/* if the compiler will optimize out function calls, then use this to tell if we are + have the correct types (this works only where sizeof() returns the size of the buffer, not + the size of the pointer). */ + +#define safe_strcpy_fn2(fn_name, fn_line, d, s, max_len) \ + (CHECK_STRING_SIZE(d, max_len+1) \ + ? __unsafe_string_function_usage_here__() \ + : safe_strcpy_fn(fn_name, fn_line, (d), (s), (max_len))) + +#define safe_strcat_fn2(fn_name, fn_line, d, s, max_len) \ + (CHECK_STRING_SIZE(d, max_len+1) \ + ? __unsafe_string_function_usage_here__() \ + : safe_strcat_fn(fn_name, fn_line, (d), (s), (max_len))) + +#define push_string_fn2(fn_name, fn_line, base_ptr, dest, src, dest_len, flags) \ + (CHECK_STRING_SIZE(dest, dest_len) \ + ? __unsafe_string_function_usage_here2__() \ + : push_string_fn(fn_name, fn_line, base_ptr, dest, src, dest_len, flags)) + +#define pull_string_fn2(fn_name, fn_line, base_ptr, dest, src, dest_len, src_len, flags) \ + (CHECK_STRING_SIZE(dest, dest_len) \ + ? __unsafe_string_function_usage_here2__() \ + : pull_string_fn(fn_name, fn_line, base_ptr, dest, src, dest_len, src_len, flags)) + +#define clistr_push_fn2(fn_name, fn_line, cli, dest, src, dest_len, flags) \ + (CHECK_STRING_SIZE(dest, dest_len) \ + ? __unsafe_string_function_usage_here2__() \ + : clistr_push_fn(fn_name, fn_line, cli, dest, src, dest_len, flags)) + +#define clistr_pull_fn2(fn_name, fn_line, cli, dest, src, dest_len, srclen, flags) \ + (CHECK_STRING_SIZE(dest, dest_len) \ + ? __unsafe_string_function_usage_here2__() \ + : clistr_pull_fn(fn_name, fn_line, cli, dest, src, dest_len, srclen, flags)) + +#else + +#define safe_strcpy_fn2 safe_strcpy_fn +#define safe_strcat_fn2 safe_strcat_fn +#define push_string_fn2 push_string_fn +#define pull_string_fn2 pull_string_fn +#define clistr_push_fn2 clistr_push_fn2 +#define clistr_pull_fn2 clistr_pull_fn2 + +#endif + +/* replace some string functions with multi-byte + versions */ +#define strlower(s) strlower_m(s) +#define strupper(s) strupper_m(s) #endif diff --git a/source3/include/srvstr.h b/source3/include/srvstr.h new file mode 100644 index 0000000000..a433e0e3f9 --- /dev/null +++ b/source3/include/srvstr.h @@ -0,0 +1,36 @@ +/* + Unix SMB/CIFS implementation. + server specific string routines + Copyright (C) Andrew Tridgell 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +#define srvstr_push(base_ptr, dest, src, dest_len, flags) \ + push_string(base_ptr, dest, src, dest_len, flags) + +#define srvstr_pull(base_ptr, dest, src, dest_len, src_len, flags) \ + pull_string(base_ptr, dest, src, dest_len, src_len, flags) + +/* pull a string from the smb_buf part of a packet. In this case the + string can either be null terminated or it can be terminated by the + end of the smbbuf area +*/ + +#define srvstr_pull_buf(inbuf, dest, src, dest_len, flags) \ + pull_string(inbuf, dest, src, dest_len, smb_bufrem(inbuf, src), flags) + |