From: Willy Tarreau <w@1wt.eu>
To: Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: "Christian Göttsche" <cgzones@googlemail.com>,
"Paul Moore" <paul@paul-moore.com>,
security@kernel.org, selinux@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: Suspected off-by-one in context_struct_to_string()
Date: Fri, 16 Jan 2026 18:34:29 +0100 [thread overview]
Message-ID: <aWp2pZqZ1mJ2zFLN@1wt.eu> (raw)
In-Reply-To: <CAEjxPJ6xyngQaWGiih+LkJ=C7yvJYMEp7Nr92tzC+hVJy0R3PQ@mail.gmail.com>
On Fri, Jan 16, 2026 at 11:58:30AM -0500, Stephen Smalley wrote:
> On Fri, Jan 16, 2026 at 10:30 AM Willy Tarreau <w@1wt.eu> wrote:
> > But then *who* is responsible in all this chain
> > for allocating the room for the trailing zero that is being appended
> > at the end ?
> >
> > Or is this the last +1 of this block maybe ?
> >
> > *scontext_len += strlen(sym_name(p, SYM_USERS, context->user - 1)) + 1; // ':'
> > *scontext_len += strlen(sym_name(p, SYM_ROLES, context->role - 1)) + 1; // ':'
> > *scontext_len += strlen(sym_name(p, SYM_TYPES, context->type - 1)) + 1; // \0 ?
> >
> > I'm asking because nothing is really clear, and if it happens to work as
> > intended, it's not super clear why.
>
> Yes, it is that last +1.
OK so that was the trickiest to spot (comments are mine above).
> Historically, originally the MLS support was
> a Kconfig option and the entire
> mls_*() parts were compiled out altogether if MLS was disabled. In
> that situation, the context
> ended with the type name and thus counting the NUL aka '\0' byte there
> made sense. Later the MLS
> support was changed to be dynamically determined at policy load time,
> but that function still returns 0
> if MLS is disabled so the NUL byte is still counted in the type name
> length computation above.
I'm fine with this.
> Happy to split it out into its own line and move after the mls_*()
> funciton if it would be easier to read.
I think that what's mostly missing is a comment before the construction
explaining the expected output format, and another comment saying that
the +1 cover the following delimiter for the first fields, and the
trailing zero for the last one, and that mls_*() include the needeed
delimiter. That way the calculation would look like it obviously
matches expectations.
Thanks for taking the time to explain, now we're certain there's no
issue and next time we get this report again we won't doubt anymore.
Willy
prev parent reply other threads:[~2026-01-16 17:34 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-15 20:18 Suspected off-by-one in context_struct_to_string() Willy Tarreau
2026-01-15 22:34 ` Paul Moore
2026-01-16 8:16 ` Christian Göttsche
2026-01-16 8:26 ` Willy Tarreau
2026-01-16 15:12 ` Stephen Smalley
2026-01-16 15:30 ` Willy Tarreau
2026-01-16 16:58 ` Stephen Smalley
2026-01-16 17:34 ` Willy Tarreau [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aWp2pZqZ1mJ2zFLN@1wt.eu \
--to=w@1wt.eu \
--cc=cgzones@googlemail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=security@kernel.org \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox