diff options
| author | Mikhail Chalov <mcchalov@amazon.com> | 2022-11-15 14:39:30 -0800 |
|---|---|---|
| committer | Vicențiu Ciorbaru <cvicentiu@gmail.com> | 2023-01-20 15:18:52 +0200 |
| commit | 567b68129943a1cceab1d7b4c68e2a4ba011cdc0 (patch) | |
| tree | 310e63987deb21ca563cfb86a2cf461f5b9ca133 /include | |
| parent | ea270178b09bb1e2e1131957e95f36cd1f611b22 (diff) | |
| download | mariadb-git-567b68129943a1cceab1d7b4c68e2a4ba011cdc0.tar.gz | |
Minimize unsafe C functions usage - replace strcat() and strcpy() (and strncat() and strncpy()) with custom safe_strcat() and safe_strcpy() functions
The MariaDB code base uses strcat() and strcpy() in several
places. These are known to have memory safety issues and their usage is
discouraged. Common security scanners like Flawfinder flags them. In MariaDB we
should start using modern and safer variants on these functions.
This is similar to memory issues fixes in 19af1890b56c6c147c296479bb6a4ad00fa59dbb
and 9de9f105b5cb88249acc39af73d32af337d6fd5f but now replace use of strcat()
and strcpy() with safer options strncat() and strncpy().
However, add '\0' forcefully to make sure the result string is correct since
for these two functions it is not guaranteed what new string will be null-terminated.
Example:
size_t dest_len = sizeof(g->Message);
strncpy(g->Message, "Null json tree", dest_len); strncat(g->Message, ":",
sizeof(g->Message) - strlen(g->Message)); size_t wrote_sz = strlen(g->Message);
size_t cur_len = wrote_sz >= dest_len ? dest_len - 1 : wrote_sz;
g->Message[cur_len] = '\0';
All new code of the whole pull request, including one or several files
that are either new files or modified ones, are contributed under the BSD-new
license. I am contributing on behalf of my employer Amazon Web Services
-- Reviewer and co-author Vicențiu Ciorbaru <vicentiu@mariadb.org>
-- Reviewer additions:
* The initial function implementation was flawed. Replaced with a simpler
and also correct version.
* Simplified code by making use of snprintf instead of chaining strcat.
* Simplified code by removing dynamic string construction in the first
place and using static strings if possible. See connect storage engine
changes.
Diffstat (limited to 'include')
| -rw-r--r-- | include/m_string.h | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/include/m_string.h b/include/m_string.h index e967f140dc4..8edaf19bc0a 100644 --- a/include/m_string.h +++ b/include/m_string.h @@ -225,6 +225,44 @@ static inline void lex_string_set3(LEX_CSTRING *lex_str, const char *c_str, lex_str->length= len; } +/* + Copies src into dst and ensures dst is a NULL terminated C string. + + Returns 1 if the src string was truncated due to too small size of dst. + Returns 0 if src completely fit within dst. Pads the remaining dst with '\0' + + Note: dst_size must be > 0 +*/ +static inline int safe_strcpy(char *dst, size_t dst_size, const char *src) +{ + memset(dst, '\0', dst_size); + strncpy(dst, src, dst_size - 1); + /* + If the first condition is true, we are guaranteed to have src length + >= (dst_size - 1), hence safe to access src[dst_size - 1]. + */ + if (dst[dst_size - 2] != '\0' && src[dst_size - 1] != '\0') + return 1; /* Truncation of src. */ + return 0; +} + +/* + Appends src to dst and ensures dst is a NULL terminated C string. + + Returns 1 if the src string was truncated due to too small size of dst. + Returns 0 if src completely fit within the remaining dst space. Pads the + remaining dst with '\0'. + + Note: dst_size must be > 0 +*/ +static inline int safe_strcat(char *dst, size_t dst_size, const char *src) +{ + size_t init_len= strlen(dst); + if (unlikely(init_len >= dst_size - 1)) + return 1; + return safe_strcpy(dst + init_len, dst_size - init_len, src); +} + #ifdef __cplusplus static inline char *safe_str(char *str) { return str ? str : const_cast<char*>(""); } |