svn commit: r210578 - head/usr.bin/grep
Xin LI
delphij at delphij.net
Thu Jul 29 22:25:12 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi, Jilles,
Thanks for your comments.
On 2010/07/29 05:20, Jilles Tjoelker wrote:
> On Thu, Jul 29, 2010 at 12:11:14AM +0000, Gabor Kovesdan wrote:
>> Author: gabor
>> Date: Thu Jul 29 00:11:14 2010
>> New Revision: 210578
>> URL: http://svn.freebsd.org/changeset/base/210578
>
>> Log:
>> - Some improvements on the exiting code, like replacing memcpy with
>> strlcpy/strcpy
>
> Hmm, I don't think this is an improvement :(
>
> If you know the length of the string, then memcpy() is usually the right
> function to use. I think this is clearer, and it is definitely more
> efficient.
Agreed.
> The strlcpy() function is for cases where the code does not know the
> length. The receiving buffer typically has a fixed length and overflow
> either leads to an error condition or silent truncation. (In the latter
> case, a security problem might still result.)
>
> Note that this is the reasoning of the glibc people why they do not want
> strlcat/strlcpy. I think these functions are acceptable but should be
> used with care, not as a panacea against all buffer overflows.
>
>> Modified: head/usr.bin/grep/fastgrep.c
>> ==============================================================================
>> --- head/usr.bin/grep/fastgrep.c Wed Jul 28 21:52:09 2010 (r210577)
>> +++ head/usr.bin/grep/fastgrep.c Thu Jul 29 00:11:14 2010 (r210578)
>> @@ -119,8 +119,7 @@ fastcomp(fastgrep_t *fg, const char *pat
>> * string respectively.
>> */
>> fg->pattern = grep_malloc(fg->len + 1);
>> - memcpy(fg->pattern, pat + (bol ? 1 : 0) + wflag, fg->len);
>> - fg->pattern[fg->len] = '\0';
>> + strlcpy(fg->pattern, pat + (bol ? 1 : 0) + wflag, fg->len + 1);
>>
>> /* Look for ways to cheat...er...avoid the full regex engine. */
>> for (i = 0; i < fg->len; i++) {
>
> :(
>
> Note that this code may not be safe if fg->len comes from an untrusted
> user, as fg->len + 1 is 0 if fg->len == SIZE_MAX. This is not the case
> if fg->len is an actual length from strlen() or similar.
Speaking for this piece of code, I have to say that the modified version
is actually safer (an improvement, as the attacker could not overwrite
arbitrary memory).
If fg->len + 1 == 0, fg->pattern would point to a small area (assuming
normal malloc.conf setting without V) where, for memcpy, it would
overwrite fg->len bytes, while strlcpy() will do nothing.
By the way how can fg->len come from an untrusted party? It's
strlen(pat) which I don't think can ever reach SIZE_MAX without crashing
the program.
I'll dig further for this piece of code anyways.
>> Modified: head/usr.bin/grep/grep.c
>> ==============================================================================
>> --- head/usr.bin/grep/grep.c Wed Jul 28 21:52:09 2010 (r210577)
>> +++ head/usr.bin/grep/grep.c Thu Jul 29 00:11:14 2010 (r210578)
> [snip]
>> @@ -234,32 +237,44 @@ add_pattern(char *pat, size_t len)
>> --len;
>> /* pat may not be NUL-terminated */
>> pattern[patterns] = grep_malloc(len + 1);
>> - memcpy(pattern[patterns], pat, len);
>> - pattern[patterns][len] = '\0';
>> + strlcpy(pattern[patterns], pat, len + 1);
>> ++patterns;
>> }
>
> :(
>
> Alternatively, consider strndup() here.
I think we should probably revert the code back to its previous state.
Using memcpy and assigning nul seems to be a better approach.
strndup() needs to re-evaluate strlen() which doesn't sound like a good
idea here.
>> Modified: head/usr.bin/grep/queue.c
>> ==============================================================================
>> --- head/usr.bin/grep/queue.c Wed Jul 28 21:52:09 2010 (r210577)
>> +++ head/usr.bin/grep/queue.c Thu Jul 29 00:11:14 2010 (r210578)
>> @@ -60,7 +60,7 @@ enqueue(struct str *x)
>> item->data.len = x->len;
>> item->data.line_no = x->line_no;
>> item->data.off = x->off;
>> - memcpy(item->data.dat, x->dat, x->len);
>> + strcpy(item->data.dat, x->dat);
>> item->data.file = x->file;
>>
>> STAILQ_INSERT_TAIL(&queue, item, list);
>
> :(
Oops, I didn't caught this :-/ Sorry.
>> Modified: head/usr.bin/grep/util.c
>> ==============================================================================
>> --- head/usr.bin/grep/util.c Wed Jul 28 21:52:09 2010 (r210577)
>> +++ head/usr.bin/grep/util.c Thu Jul 29 00:11:14 2010 (r210578)
[snip]
>> @@ -102,30 +141,19 @@ grep_tree(char **argv)
>> default:
>> /* Check for file exclusion/inclusion */
>> ok = true;
>> - if (exclflag) {
>> + if (dexclude || dinclude) {
>> if ((d = strrchr(p->fts_path, '/')) != NULL) {
>> dir = grep_malloc(sizeof(char) *
>> (d - p->fts_path + 2));
>> strlcpy(dir, p->fts_path,
>> (d - p->fts_path + 1));
>
> Why do the buffer sizes differ here? Also, this can be a memcpy plus a
> '\0' write instead of a strlcpy.
I think in this case the malloc part should be d - p->fts_path + 1.
Speaking for strlcpy vs memcpy for this case, I don't see much
difference as grep_tree() is being called during fts operation, these
string can never be long enough, nor the code path be "hot" enough
without I/O.
I'll take care for the rest of changes.
Cheers,
- --
Xin LI <delphij at delphij.net> http://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (FreeBSD)
iQEcBAEBCAAGBQJMUf+2AAoJEATO+BI/yjfBPuoH/0zahV2GYxBJIyuxw+WYMvjT
WnPI4I9piIuGtREYS2kUYY5HGswPwOiRGxEoNQ4m1wWYkpSf3gtjnR7B+lCkzYeJ
WloTK8jfuYg7stGozJvOVGd4SIQBjchI3OepR86YbKCqGTDMo3iL+Fou/RQruJ5G
HyAvZv00HNrGVagdBT/0KHrRiZ/W5bT7+lwuRxR8VsSdxBXjDBS0L87oiBGfvr5u
bKmEWNUWNELJb+j2yvIh7M7M5CJIrlqx7enpGhyGciaEaWZzWuRF2aVmqGhlcBVt
m5XcChcd7jpGr/HOQq0o3hAvfG684BKG+UPm7yBSs8bAZwrXVdECXnbYS9MxcAc=
=8dGx
-----END PGP SIGNATURE-----
More information about the svn-src-all
mailing list