From: Frederic Weisbecker <fweisbec@gmail.com>
To: Li Zefan <lizf@cn.fujitsu.com>
Cc: Steven Rostedt <rostedt@goodmis.org>,
Tom Zanussi <tzanussi@gmail.com>, Ingo Molnar <mingo@elte.hu>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 2/2] tracing/filters: use strcmp() instead of strncmp()
Date: Mon, 1 Jun 2009 15:09:30 +0200 [thread overview]
Message-ID: <20090601130928.GA6000@nowhere> (raw)
In-Reply-To: <4A236B0B.3000604@cn.fujitsu.com>
On Mon, Jun 01, 2009 at 01:45:47PM +0800, Li Zefan wrote:
> >>>> I don't think there's any security issue. It's irrelevant how big the user-input
> >>>> strings are. The point is those strings are guaranteed to be NULL-terminated.
> >>>> Am I missing something?
> >>>>
> >>>> And I don't think it's necessary to make 2 patches that each patch converts
> >>>> one strncmp to strcmp. But maybe it's better to improve this changelog?
> >>> Hmm, you must be right, indeed they seem to be guaranted beeing NULL-terminated
> >>> strings.
> >>>
> >> Sorry, I was wrong. :(
> >>
> >> Though the user-input strings are guaranted to be NULL-terminated, strings
> >> generated by TRACE_EVENT might not.
> >>
> >> We define static strings this way:
> >> TP_struct(
> >> __array(char, foo, LEN)
> >> )
> >> But foo is not necessarily a string, though I doubt someone will use it
> >> as non-string char array.
> >
> >
> > Yeah, but the user defined comparison operand is NULL terminated.
> > So the strcmp will stop at this boundary.
> >
>
> The user input string is NULL terminated and is limited to MAX_FILTER_STR_VAL,
> and it's strcmp() not strcpy(), but it's still unsafe. No?
>
> cmp = strcmp(addr, pred->str_val);
>
> If addr is not NULL-terminated string but char array, and length of
> str_val > length of addr, then we'll be exceeding the boundary of the
> array.
No, once both strings appear to be different, strcmp returns.
As an example, the generic strcmp in lib/string.c is as follows:
int strcmp(const char *cs, const char *ct)
{
signed char __res;
while (1) {
if ((__res = *cs - *ct++) != 0 || !*cs++)
break;
}
return __res;
}
Once cs[n] != ct[n], or !cs[n] || !ct[n], strcmp() stops,
and the x86 implementation does exactly the same.
So I guess it's safe.
> >
> >
> >> Dynamic string is fine, because assign_str() makes it NULL-terminated.
> >>
> >> So we can use strcmp() for dynamic strings, but we'd better use strncmp() for
> >> static string.
> >>
> >>
> >
> >
> >
next prev parent reply other threads:[~2009-06-01 13:09 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-29 8:41 [PATCH 2/2] tracing/filters: use strcmp() instead of strncmp() Li Zefan
2009-05-29 13:51 ` Frédéric Weisbecker
2009-05-30 9:06 ` Li Zefan
2009-05-30 13:52 ` Frederic Weisbecker
2009-05-31 8:27 ` Li Zefan
2009-05-31 13:28 ` Frederic Weisbecker
2009-06-01 5:45 ` Li Zefan
2009-06-01 13:09 ` Frederic Weisbecker [this message]
2009-06-02 0:55 ` Li Zefan
2009-09-08 3:03 ` Steven Rostedt
2009-09-09 1:21 ` Li Zefan
2009-09-09 2:00 ` Steven Rostedt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090601130928.GA6000@nowhere \
--to=fweisbec@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lizf@cn.fujitsu.com \
--cc=mingo@elte.hu \
--cc=rostedt@goodmis.org \
--cc=tzanussi@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox