|
Message-ID: <20150618004040.GK1173@brightrain.aerifal.cx> Date: Wed, 17 Jun 2015 20:40:41 -0400 From: Rich Felker <dalias@...c.org> To: musl@...ts.openwall.com Subject: Re: [PATCH] Implement glibc *_chk interfaces for ABI compatibility. On Wed, Jun 17, 2015 at 02:07:08PM -0500, Josiah Worcester wrote: > >> +size_t __wcrtomb_chk(char *restrict s, wchar_t wc, mbstate_t *restrict st, size_t slen) > >> +{ > >> + if (slen < MB_CUR_MAX) a_crash(); > >> + return wcrtomb(s, wc, st); > >> +} > > > > i think this can cause a false positive crash > > but glibc seems to do the same.. > > > > (eg some api passes wchar_t* and the exact mb encoded length of > > a string so the output s can be safely shorter than max mb length) > > > I'm not sure if we should match glibc here or do a better check. > > Thanks for the input. I'm going to wait a bit before posting a new > patch, though, in hopes that more comments are forthcoming. This code is definitely wrong as-is; for example: char c; wcrtomb(&c, L'0', st) is perfectly valid (albeit useless) code. Other examples are possible too. I think a decent check would be: size_t r = wcrtomb(s, wc, st); if (r+1 > slen+1) a_crash(); return r; This allows an overflow of up to 3 bytes to occur before the trap, but there's no way a valid dest buffer could be within 3 bytes of this function's or wcrtomb's stack, so you should safely reach the a_crash even on overflow. The alternative would be using a temp buffer of size MB_LEN_MAX and then performing memcpy to the caller's buffer if the result fits or a_crash if not. Rich
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.