From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7FCA646BB for ; Sun, 12 Nov 2023 09:18:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="hsIi/sSU" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 458FDC433C7; Sun, 12 Nov 2023 09:18:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1699780690; bh=4hFvmgBEONg7cOZD8NWcY4fX/eld8CvY7FFyB612+wc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=hsIi/sSU0g5qFCK5zpFu45JWRF98KMSDuG+k8Vt4J0hgnJaFU6SfjB2fue6ds8fv5 ymHp5ePuHoI2h7lpNLz2Mmn+7TQmQXPKJqAzAhEJbW9G99gs6HFOnwl1zjFgD8lrTL 2hKCfMVxW9bEN4THu8saTA0VSJ8dJQzx4ZON0pvfOY5dMUvfWt5J/pJfD4A39tnzyI 2jsJMmZx0S9vu62bkV+Ckn/QdFnfvqhzWixZtfFx2d9spmWd0nss4FsB20ubKre9Go LjwnonlDi+B92ngv6Pg+k/VUwnUmnTzDMIZdIxfqZo+rwTDQ+cx30f5CqAErlSzEKs wG6ZP5Xc3wjFA== Date: Sun, 12 Nov 2023 10:18:05 +0100 From: Alejandro Colomar To: linux-man@vger.kernel.org Cc: Alejandro Colomar , libc-alpha@sourceware.org, Paul Eggert , Jonny Grant , DJ Delorie , Matthew House , Oskari Pirhonen , Thorsten Kukuk , Adhemerval Zanella Netto , Zack Weinberg , "G. Branden Robinson" , Carlos O'Donell , Xi Ruoyao , Stefan Puiu , Andreas Schwab Subject: [PATCH 2/2] string_copying.7: BUGS: Document strl{cpy,cat}(3)'s performance problems Message-ID: <20231112091748.6906-4-alx@kernel.org> References: Precedence: bulk X-Mailing-List: linux-man@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="vfp+hU8I4gx7kkgi" Content-Disposition: inline In-Reply-To: X-Mailer: git-send-email 2.42.0 --vfp+hU8I4gx7kkgi Content-Type: text/plain; protected-headers=v1; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Date: Sun, 12 Nov 2023 10:18:05 +0100 From: Alejandro Colomar To: linux-man@vger.kernel.org Cc: Alejandro Colomar , libc-alpha@sourceware.org, Paul Eggert , Jonny Grant , DJ Delorie , Matthew House , Oskari Pirhonen , Thorsten Kukuk , Adhemerval Zanella Netto , Zack Weinberg , "G. Branden Robinson" , Carlos O'Donell , Xi Ruoyao , Stefan Puiu , Andreas Schwab Subject: [PATCH 2/2] string_copying.7: BUGS: Document strl{cpy,cat}(3)'s performance problems Also point to BUGS from other sections that talk about these functions. These functions are doomed due to the design decision of mirroring snprintf(3)'s return value. They must return strlen(src), which makes them terribly slow, and vulnerable to DoS if an attacker can control strlen(src). A better design would have been to return -1 when truncating. Reported-by: Paul Eggert Cc: Jonny Grant Cc: DJ Delorie Cc: Matthew House Cc: Oskari Pirhonen Cc: Thorsten Kukuk Cc: Adhemerval Zanella Netto Cc: Zack Weinberg Cc: "G. Branden Robinson" Cc: Carlos O'Donell Cc: Xi Ruoyao Cc: Stefan Puiu Cc: Andreas Schwab Signed-off-by: Alejandro Colomar --- man7/string_copying.7 | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/man7/string_copying.7 b/man7/string_copying.7 index 0254fbba6..cb3910db0 100644 --- a/man7/string_copying.7 +++ b/man7/string_copying.7 @@ -226,9 +226,9 @@ .SS Truncate or not? .IP \[bu] .BR strlcpy (3bsd) and .BR strlcat (3bsd) -are similar, but less efficient when chained. +are similar, but have important performance problems; see BUGS. .IP \[bu] .BR stpncpy (3) and .BR strncpy (3) @@ -417,8 +417,10 @@ .SS Functions the resulting string is truncated (but it is guaranteed to be null-terminated). They return the length of the total string they tried to create. .IP +Check BUGS before using these functions. +.IP .BR stpecpy (3) is a simpler alternative to these functions. .\" ----- DESCRIPTION :: Functions :: stpncpy(3) ----------------------/ .TP @@ -598,8 +600,22 @@ .SH BUGS into normal copy functions, since .I strlen(dst) is usually a byproduct of the previous copy. +.P +.BR strlcpy (3) +and +.BR strlcat (3) +need to read the entire +.I src +string, +even if the destination buffer is small. +This makes them vulnerable to Denial of Service (DoS) attacks +if an attacker can control the length of the +.I src +string. +And if not, +they're still unnecessarily slow. .\" ----- EXAMPLES :: -------------------------------------------------/ .SH EXAMPLES The following are examples of correct use of each of these functions. .\" ----- EXAMPLES :: stpcpy(3) ---------------------------------------/ --=20 2.42.0 --vfp+hU8I4gx7kkgi Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE6jqH8KTroDDkXfJAnowa+77/2zIFAmVQmE0ACgkQnowa+77/ 2zLKcg//cACeNFvdkLH1mGvxiFEEh2u70WFUjM9sHeS1lJwgg1EoPGXDMaUtYjo2 FUMA6yhiMeHG+6kDwHU/Enls8h+fahILixznLPcQrFXFkWKTNwjTHF5kYfY8AAY2 35XJTYSWQsqD8Oapzp8kYJq87hsyu2ks8Vhf+r06TSTXhn5iZTtblGR66AugYdum ievFmbIzei2L444Rz0w4mn+XY+xlDDDxWDurx/zEhJVHJ/zTg1GqIxcIN1w2/Fi6 N0VEmwy3XR6R8fXtRjoT6TLg0OTTRlHYbdeYRfJtFeyH6pEDbK+ErZrj3LPi792m HaPG5wDpOMFl4rIhh9HajYAgLXJl2JJ4rg4rH+5HYqjosD7c4nW8SC8AU6+wEv6i SUQC2v96QghUPkZjyIFuTMp+vmcg88xKlYxb2kBitAnWYSNpqPnOJ/Jn4hoxhrnL K1gN0AtPZ5TX142gb4AGW/mkCM+5480CZ7nduhsWoop9KL5aZnlnNfKZGtHWb9jI nRLLmaMCkf7dhsgYSZhBzG8I0vPHEZ6K1b2IpkWaLsoDU3XhveucmVy95W7zsB41 cVimiWlPszq7OeXvV9usy9oA7AiVRS/wut5miheD5aPubdgSAIF5HfNaIZa/y34K D8XGv4WKIC2kKxIdDSLvS6TVF5N/m9XDIu0bi1Bvd3J+yzB7KTY= =0usp -----END PGP SIGNATURE----- --vfp+hU8I4gx7kkgi--