String handling parinoia fixes.

This patch enables the compile-time checking of strings assable by means of
sizeof().  (Original code had the configure check reversed).

This is extended to all safe_strcpy() users, push_string and pull_string,
as well as the cli and srv derivitives.  There is an attempt to cap strings
at the end of the cli buffer, and clobber_region() of the speified length
(when not -1 :-).

Becouse of the way they are declared, the 'overmalloc a string' users of
safe_strcpy() have been changed to use overmalloc_safe_strcpy() (which skips
some of the checks).

This whole ball of mud worked fine, until I pulled out my 'fix' for our
statcache.  When jeremy fixes that, we should be able to get back to testing
this stuff.

This patch also includes a 'marker' of the last caller to clobber_region (ie,
the function that called pstrcpy() that called clobber_region) to assist in
debugging problems that may have smashed the stack.  This is printed at
smb_panic() time.  (Original idea and patch by metze).

It also removes some unsused functions, and #if 0's some others that are
unused but probably should be used in the near future.

For now, this patch gives us some confidence on one class of trivial parsing
error in our code.

Andrew Bartlett
(This used to be commit 31f4827acc2a2f00399a5528fc83a0dae5cebaf4)

3 files changed, 59 insertions, 112 deletions

diff --git a/source3/lib/charcnv.c b/source3/lib/charcnv.c
index a8df003f8b..76d77ddd67 100644
--- a/source3/lib/charcnv.c
+++ b/source3/lib/charcnv.c
@@ -186,7 +186,7 @@ size_t convert_string(charset_t from, charset_t to,
  * @returns Size in bytes of the converted string; or -1 in case of error.
  **/
 
-size_t convert_string_allocate(charset_t from, charset_t to,
+static size_t convert_string_allocate(charset_t from, charset_t to,
 		      		void const *src, size_t srclen, void **dest)
 {
 	size_t i_len, o_len, destlen;
@@ -265,7 +265,7 @@ convert:
  *
  * @returns Size in bytes of the converted string; or -1 in case of error.
  **/
-size_t convert_string_talloc(TALLOC_CTX *ctx, charset_t from, charset_t to,
+static size_t convert_string_talloc(TALLOC_CTX *ctx, charset_t from, charset_t to,
 		      		void const *src, size_t srclen, void **dest)
 {
 	void *alloced_string;
@@ -303,7 +303,7 @@ size_t unix_strlower(const char *src, size_t srclen, char *dest, size_t destlen)
 }
 
 
-size_t ucs2_align(const void *base_ptr, const void *p, int flags)
+static size_t ucs2_align(const void *base_ptr, const void *p, int flags)
 {
 	if (flags & (STR_NOALIGN|STR_ASCII))
 		return 0;
@@ -356,11 +356,6 @@ size_t push_ascii_pstring(void *dest, const char *src)
 	return push_ascii(dest, src, sizeof(pstring), STR_TERMINATE);
 }
 
-size_t push_pstring(void *dest, const char *src)
-{
-	return push_ascii(dest, src, sizeof(pstring), STR_TERMINATE);
-}
-
 /**
  * Copy a string from a dos codepage source to a unix char* destination.
  *
@@ -507,7 +502,7 @@ size_t push_ucs2_allocate(smb_ucs2_t **dest, const char *src)
  is -1 then no maxiumum is used.
 **/
 
-size_t push_utf8(void *dest, const char *src, size_t dest_len, int flags)
+static size_t push_utf8(void *dest, const char *src, size_t dest_len, int flags)
 {
 	size_t src_len = strlen(src);
 	pstring tmpbuf;
@@ -533,11 +528,6 @@ size_t push_utf8_fstring(void *dest, const char *src)
 	return push_utf8(dest, src, sizeof(fstring), STR_TERMINATE);
 }
 
-size_t push_utf8_pstring(void *dest, const char *src)
-{
-	return push_utf8(dest, src, sizeof(pstring), STR_TERMINATE);
-}
-
 /**
  * Copy a string from a unix char* src to a UTF-8 destination, allocating a buffer using talloc
  *
@@ -666,7 +656,7 @@ size_t pull_ucs2_allocate(void **dest, const smb_ucs2_t *src)
  The resulting string in "dest" is always null terminated.
 **/
 
-size_t pull_utf8(char *dest, const void *src, size_t dest_len, size_t src_len, int flags)
+static size_t pull_utf8(char *dest, const void *src, size_t dest_len, size_t src_len, int flags)
 {
 	size_t ret;
 
@@ -690,16 +680,7 @@ size_t pull_utf8(char *dest, const void *src, size_t dest_len, size_t src_len, i
 
 	return src_len;
 }
-
-size_t pull_utf8_pstring(char *dest, const void *src)
-{
-	return pull_utf8(dest, src, sizeof(pstring), -1, STR_TERMINATE);
-}
-
-size_t pull_utf8_fstring(char *dest, const void *src)
-{
-	return pull_utf8(dest, src, sizeof(fstring), -1, STR_TERMINATE);
-}
+#endif
 
 /**
  * Copy a string from a UTF-8 src to a unix char * destination, allocating a buffer using talloc
@@ -745,8 +726,11 @@ size_t pull_utf8_allocate(void **dest, const char *src)
  is -1 then no maxiumum is used.
 **/
 
-size_t push_string(const void *base_ptr, void *dest, const char *src, size_t dest_len, int flags)
+size_t push_string_fn(const char *function, unsigned int line, const void *base_ptr, void *dest, const char *src, size_t dest_len, int flags)
 {
+	if (dest_len != (size_t)-1)
+		clobber_region(function, line, dest, dest_len);
+
 	if (!(flags & STR_ASCII) && \
 	    ((flags & STR_UNICODE || \
 	      (SVAL(base_ptr, smb_flg2) & FLAGS2_UNICODE_STRINGS)))) {
@@ -770,8 +754,11 @@ size_t push_string(const void *base_ptr, void *dest, const char *src, size_t des
  The resulting string in "dest" is always null terminated.
 **/
 
-size_t pull_string(const void *base_ptr, char *dest, const void *src, size_t dest_len, size_t src_len, int flags)
+size_t pull_string_fn(const char *function, unsigned int line, const void *base_ptr, char *dest, const void *src, size_t dest_len, size_t src_len, int flags)
 {
+	if (dest_len != (size_t)-1)
+		clobber_region(function, line, dest, dest_len);
+
 	if (!(flags & STR_ASCII) && \
 	    ((flags & STR_UNICODE || \
 	      (SVAL(base_ptr, smb_flg2) & FLAGS2_UNICODE_STRINGS)))) {
@@ -791,27 +778,6 @@ size_t align_string(const void *base_ptr, const char *p, int flags)
 }
 
 /**
- Convert from ucs2 to unix charset and return the
- allocated and converted string or NULL if an error occurred.
- You must provide a zero terminated string.
- The returning string will be zero terminated.
-**/
-
-char *acnv_u2ux(const smb_ucs2_t *src)
-{
-	size_t slen;
-	size_t dlen;
-	void *dest;
-	
-	slen = (strlen_w(src) + 1) * sizeof(smb_ucs2_t);
-	dlen = convert_string_allocate(CH_UCS2, CH_UNIX, src, slen, &dest);
-	if (dlen == (size_t)-1)
-		return NULL;
-	else
-		return dest;
-}
-
-/**
  Convert from unix to ucs2 charset and return the
  allocated and converted string or NULL if an error occurred.
  You must provide a zero terminated string.
@@ -833,27 +799,6 @@ smb_ucs2_t *acnv_uxu2(const char *src)
 }
 
 /**
- Convert from ucs2 to dos charset and return the
- allocated and converted string or NULL if an error occurred.
- You must provide a zero terminated string.
- The returning string will be zero terminated.
-**/
-
-char *acnv_u2dos(const smb_ucs2_t *src)
-{
-	size_t slen;
-	size_t dlen;
-	void *dest;
-	
-	slen = (strlen_w(src) + 1) * sizeof(smb_ucs2_t);
-	dlen = convert_string_allocate(CH_UCS2, CH_DOS, src, slen, &dest);
-	if (dlen == (size_t)-1)
-		return NULL;
-	else
-		return dest;
-}
-
-/**
  Convert from dos to ucs2 charset and return the
  allocated and converted string or NULL if an error occurred.
  You must provide a zero terminated string.
diff --git a/source3/lib/util.c b/source3/lib/util.c
index 77ffa70a47..1f300a2815 100644
--- a/source3/lib/util.c
+++ b/source3/lib/util.c
@@ -1398,9 +1398,23 @@ gid_t nametogid(const char *name)
 
 void smb_panic(const char *why)
 {
-	char *cmd = lp_panic_action();
+	char *cmd;
 	int result;
 
+#ifdef DEVELOPER
+	{
+		extern char *global_clobber_region_function;
+		extern unsigned int global_clobber_region_line;
+		
+		if (global_clobber_region_function) {
+			DEBUG(0,("smb_panic: clobber_region() last called from [%s(%u)]\n",
+				 global_clobber_region_function,
+				 global_clobber_region_line));
+		} 
+	}
+#endif
+	
+	cmd = lp_panic_action();
 	if (cmd && *cmd) {
 		DEBUG(0, ("smb_panic(): calling panic action [%s]\n", cmd));
 		result = system(cmd);
diff --git a/source3/lib/util_str.c b/source3/lib/util_str.c
index 7dd5ee4242..7643c2807e 100644
--- a/source3/lib/util_str.c
+++ b/source3/lib/util_str.c
@@ -21,6 +21,11 @@
 
 #include "includes.h"
 
+#ifdef DEVELOPER
+const char *global_clobber_region_function;
+unsigned int global_clobber_region_line;
+#endif
+
 /**
  * Get the next token from a string, return False if none found.
  * Handles double-quotes.
@@ -73,7 +78,7 @@ parameter so you can pass NULL. This is useful for user interface code
 but beware the fact that it is not re-entrant!
 **/
 
-static char *last_ptr=NULL;
+static const char *last_ptr=NULL;
 
 BOOL next_token_nr(const char **ptr,char *buff, const char *sep, size_t bufsize)
 {
@@ -410,28 +415,6 @@ size_t count_chars(const char *s,char c)
 }
 
 /**
-Return True if a string consists only of one particular character.
-**/
-
-BOOL str_is_all(const char *s,char c)
-{
-	smb_ucs2_t *ptr;
-
-	if(s == NULL)
-		return False;
-	if(!*s)
-		return False;
-  
-	push_ucs2(NULL, tmpbuf,s, sizeof(tmpbuf), STR_TERMINATE);
-	for(ptr=tmpbuf;*ptr;ptr++)
-		if(*ptr!=UCS2_CHAR(c))
-			return False;
-
-	return True;
-}
-
-
-/**
  * In developer builds, clobber a region of memory.
  *
  * If we think a string buffer is longer than it really is, this ought
@@ -442,11 +425,13 @@ BOOL str_is_all(const char *s,char c)
  * This is meant to catch possible string overflows, even if the
  * actual string copied is not big enough to cause an overflow.
  **/
-void clobber_region(char *dest, size_t len)
+void clobber_region(const char *fn, unsigned int line, char *dest, size_t len)
 {
 #ifdef DEVELOPER
 	/* F1 is odd and 0xf1f1f1f1 shouldn't be a valid pointer */
 	memset(dest, 0xF1, len);
+	global_clobber_region_function = fn;
+	global_clobber_region_line = line;
 #endif
 }
 
@@ -456,7 +441,7 @@ void clobber_region(char *dest, size_t len)
  include the terminating zero.
 **/
 
-char *safe_strcpy(char *dest,const char *src, size_t maxlength)
+char *safe_strcpy_fn(const char *fn, int line, char *dest,const char *src, size_t maxlength)
 {
 	size_t len;
 
@@ -465,7 +450,7 @@ char *safe_strcpy(char *dest,const char *src, size_t maxlength)
 		return NULL;
 	}
 
-	clobber_region(dest, maxlength+1);
+	clobber_region(fn,line,dest, maxlength+1);
 
 	if (!src) {
 		*dest = 0;
@@ -489,8 +474,7 @@ char *safe_strcpy(char *dest,const char *src, size_t maxlength)
  Safe string cat into a string. maxlength does not
  include the terminating zero.
 **/
-
-char *safe_strcat(char *dest, const char *src, size_t maxlength)
+char *safe_strcat_fn(const char *fn, int line, char *dest, const char *src, size_t maxlength)
 {
 	size_t src_len, dest_len;
 
@@ -505,8 +489,8 @@ char *safe_strcat(char *dest, const char *src, size_t maxlength)
 	src_len = strlen(src);
 	dest_len = strlen(dest);
 
-	clobber_region(dest + dest_len, maxlength + 1 - dest_len);
-	
+	clobber_region(fn, line, dest + dest_len, maxlength + 1 - dest_len);
+
 	if (src_len + dest_len > maxlength) {
 		DEBUG(0,("ERROR: string overflow by %d in safe_strcat [%.50s]\n",
 			 (int)(src_len + dest_len - maxlength), src));
@@ -528,12 +512,11 @@ char *safe_strcat(char *dest, const char *src, size_t maxlength)
  and replaces with '_'. Deliberately does *NOT* check for multibyte
  characters. Don't change it !
 **/
-
-char *alpha_strcpy(char *dest, const char *src, const char *other_safe_chars, size_t maxlength)
+char *alpha_strcpy_fn(const char *fn, int line, char *dest, const char *src, const char *other_safe_chars, size_t maxlength)
 {
 	size_t len, i;
 
-	clobber_region(dest, maxlength);
+	clobber_region(fn, line, dest, maxlength);
 
 	if (!dest) {
 		DEBUG(0,("ERROR: NULL dest in alpha_strcpy\n"));
@@ -569,13 +552,12 @@ char *alpha_strcpy(char *dest, const char *src, const char *other_safe_chars, si
  Like strncpy but always null terminates. Make sure there is room!
  The variable n should always be one less than the available size.
 **/
-
-char *StrnCpy(char *dest,const char *src,size_t n)
+char *StrnCpy_fn(const char *fn, int line,char *dest,const char *src,size_t n)
 {
 	char *d = dest;
 
-	clobber_region(dest, n+1);
-	
+	clobber_region(fn, line, dest, n+1);
+
 	if (!dest)
 		return(NULL);
 	
@@ -589,12 +571,13 @@ char *StrnCpy(char *dest,const char *src,size_t n)
 	return(dest);
 }
 
+#if 0
 /**
  Like strncpy but copies up to the character marker.  always null terminates.
  returns a pointer to the character marker in the source string (src).
 **/
 
-char *strncpyn(char *dest, const char *src, size_t n, char c)
+static char *strncpyn(char *dest, const char *src, size_t n, char c)
 {
 	char *p;
 	size_t str_len;
@@ -613,6 +596,7 @@ char *strncpyn(char *dest, const char *src, size_t n, char c)
 
 	return p;
 }
+#endif
 
 /**
  Routine to get hex characters and turn them into a 16 byte array.
@@ -923,7 +907,7 @@ void all_string_sub(char *s,const char *pattern,const char *insert, size_t len)
  Use with caution!
 **/
 
-smb_ucs2_t *all_string_sub_w(const smb_ucs2_t *s, const smb_ucs2_t *pattern,
+static smb_ucs2_t *all_string_sub_w(const smb_ucs2_t *s, const smb_ucs2_t *pattern,
 				const smb_ucs2_t *insert)
 {
 	smb_ucs2_t *r, *rp;
@@ -981,11 +965,12 @@ smb_ucs2_t *all_string_sub_wa(smb_ucs2_t *s, const char *pattern,
 	return all_string_sub_w(s, p, i);
 }
 
+#if 0
 /**
  Splits out the front and back at a separator.
 **/
 
-void split_at_last_component(char *path, char *front, char sep, char *back)
+static void split_at_last_component(char *path, char *front, char sep, char *back)
 {
 	char *p = strrchr_m(path, sep);
 
@@ -1004,6 +989,7 @@ void split_at_last_component(char *path, char *front, char sep, char *back)
 			back[0] = 0;
 	}
 }
+#endif
 
 /**
  Write an octal as a string.
@@ -1023,7 +1009,7 @@ const char *octal_string(int i)
  Truncate a string at a specified length.
 **/
 
-char *string_truncate(char *s, int length)
+char *string_truncate(char *s, unsigned int length)
 {
 	if (s && strlen(s) > length)
 		s[length] = 0;
@@ -1182,11 +1168,12 @@ char *binary_string(char *buf, int len)
 	return ret;
 }
 
+#if 0
 /**
  Just a typesafety wrapper for snprintf into a fstring.
 **/
 
- int fstr_sprintf(fstring s, const char *fmt, ...)
+static int fstr_sprintf(fstring s, const char *fmt, ...)
 {
 	va_list ap;
 	int ret;
@@ -1196,6 +1183,7 @@ char *binary_string(char *buf, int len)
 	va_end(ap);
 	return ret;
 }
+#endif
 
 #ifndef HAVE_STRNDUP
 /**