telemetry: avoid truncation of strlcpy return before check

Message ID 1691011261-5666-1-git-send-email-roretzla@linux.microsoft.com (mailing list archive)
State Rejected
Delegated to: David Marchand
Headers
Series telemetry: avoid truncation of strlcpy return before check |

Checks

Context Check Description
ci/checkpatch success coding style OK
ci/loongarch-compilation success Compilation OK
ci/loongarch-unit-testing success Unit Testing PASS
ci/Intel-compilation success Compilation OK
ci/intel-Testing success Testing PASS
ci/github-robot: build success github build: passed
ci/intel-Functional success Functional PASS
ci/iol-mellanox-Performance success Performance Testing PASS
ci/iol-aarch-unit-testing success Testing PASS
ci/iol-testing success Testing PASS
ci/iol-x86_64-unit-testing success Testing PASS
ci/iol-unit-testing success Testing PASS
ci/iol-aarch64-compile-testing success Testing PASS
ci/iol-intel-Functional success Functional Testing PASS
ci/iol-broadcom-Performance success Performance Testing PASS
ci/iol-x86_64-compile-testing success Testing PASS
ci/iol-intel-Performance success Performance Testing PASS
ci/iol-broadcom-Functional success Functional Testing PASS

Commit Message

Tyler Retzlaff Aug. 2, 2023, 9:21 p.m. UTC
  strlcpy returns type size_t when directly assigning to
struct rte_tel_data data_len field it may be truncated leading to
compromised length check that follows

Since the limit in the check is < UINT_MAX the value returned is
safe to be cast to unsigned int (which may be narrower than size_t)
but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN

Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
---
 lib/telemetry/telemetry_data.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
  

Comments

Bruce Richardson Aug. 3, 2023, 8:15 a.m. UTC | #1
On Wed, Aug 02, 2023 at 02:21:01PM -0700, Tyler Retzlaff wrote:
> strlcpy returns type size_t when directly assigning to
> struct rte_tel_data data_len field it may be truncated leading to
> compromised length check that follows
> 
> Since the limit in the check is < UINT_MAX the value returned is
> safe to be cast to unsigned int (which may be narrower than size_t)
> but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
> 
> Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
> ---
Acked-by: Bruce Richardson <bruce.richardson@intel.com>

This probably should be marked as a fix for backport.

>  lib/telemetry/telemetry_data.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
> index 3b1a240..52307cb 100644
> --- a/lib/telemetry/telemetry_data.c
> +++ b/lib/telemetry/telemetry_data.c
> @@ -41,12 +41,13 @@
>  int
>  rte_tel_data_string(struct rte_tel_data *d, const char *str)
>  {
> +	const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
>  	d->type = TEL_STRING;
> -	d->data_len = strlcpy(d->data.str, str, sizeof(d->data.str));
> -	if (d->data_len >= RTE_TEL_MAX_SINGLE_STRING_LEN) {
> +	if (len >= RTE_TEL_MAX_SINGLE_STRING_LEN) {
>  		d->data_len = RTE_TEL_MAX_SINGLE_STRING_LEN - 1;
>  		return E2BIG; /* not necessarily and error, just truncation */
>  	}
> +	d->data_len = (unsigned int)len;
>  	return 0;
>  }
>  
> -- 
> 1.8.3.1
>
  
lihuisong (C) Aug. 8, 2023, 2:24 a.m. UTC | #2
在 2023/8/3 5:21, Tyler Retzlaff 写道:
> strlcpy returns type size_t when directly assigning to
> struct rte_tel_data data_len field it may be truncated leading to
> compromised length check that follows
>
> Since the limit in the check is < UINT_MAX the value returned is
> safe to be cast to unsigned int (which may be narrower than size_t)
> but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
>
> Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
> ---
>   lib/telemetry/telemetry_data.c | 5 +++--
>   1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
> index 3b1a240..52307cb 100644
> --- a/lib/telemetry/telemetry_data.c
> +++ b/lib/telemetry/telemetry_data.c
> @@ -41,12 +41,13 @@
>   int
>   rte_tel_data_string(struct rte_tel_data *d, const char *str)
>   {
> +	const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
sizeof(d->data.str) is equal to RTE_TEL_MAX_SINGLE_STRING_LEN(8192).
So It seems that this truncation probably will not happen.
>   	d->type = TEL_STRING;
> -	d->data_len = strlcpy(d->data.str, str, sizeof(d->data.str));
> -	if (d->data_len >= RTE_TEL_MAX_SINGLE_STRING_LEN) {
> +	if (len >= RTE_TEL_MAX_SINGLE_STRING_LEN) {
>   		d->data_len = RTE_TEL_MAX_SINGLE_STRING_LEN - 1;
>   		return E2BIG; /* not necessarily and error, just truncation */
>   	}
> +	d->data_len = (unsigned int)len;
>   	return 0;
>   }
>
  
Tyler Retzlaff Aug. 8, 2023, 5:59 p.m. UTC | #3
On Tue, Aug 08, 2023 at 10:24:41AM +0800, lihuisong (C) wrote:
> 
> 在 2023/8/3 5:21, Tyler Retzlaff 写道:
> >strlcpy returns type size_t when directly assigning to
> >struct rte_tel_data data_len field it may be truncated leading to
> >compromised length check that follows
> >
> >Since the limit in the check is < UINT_MAX the value returned is
> >safe to be cast to unsigned int (which may be narrower than size_t)
> >but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
> >
> >Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
> >---
> >  lib/telemetry/telemetry_data.c | 5 +++--
> >  1 file changed, 3 insertions(+), 2 deletions(-)
> >
> >diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
> >index 3b1a240..52307cb 100644
> >--- a/lib/telemetry/telemetry_data.c
> >+++ b/lib/telemetry/telemetry_data.c
> >@@ -41,12 +41,13 @@
> >  int
> >  rte_tel_data_string(struct rte_tel_data *d, const char *str)
> >  {
> >+	const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
> sizeof(d->data.str) is equal to RTE_TEL_MAX_SINGLE_STRING_LEN(8192).
> So It seems that this truncation probably will not happen.

agreed, regardless the data type choices permit a size that exceeds the
range of the narrower type and the assignment results in a warning being
generated on some targets. that's why the truncating cast is safe to
add.

none of this would be necessary if data_len had been appropriately typed
as size_t.  Bruce should we be changing the type instead since we are in
23.11 merge window...?
  
Bruce Richardson Aug. 8, 2023, 6:35 p.m. UTC | #4
On Tue, Aug 08, 2023 at 10:59:37AM -0700, Tyler Retzlaff wrote:
> On Tue, Aug 08, 2023 at 10:24:41AM +0800, lihuisong (C) wrote:
> > 
> > 在 2023/8/3 5:21, Tyler Retzlaff 写道:
> > >strlcpy returns type size_t when directly assigning to
> > >struct rte_tel_data data_len field it may be truncated leading to
> > >compromised length check that follows
> > >
> > >Since the limit in the check is < UINT_MAX the value returned is
> > >safe to be cast to unsigned int (which may be narrower than size_t)
> > >but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
> > >
> > >Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
> > >---
> > >  lib/telemetry/telemetry_data.c | 5 +++--
> > >  1 file changed, 3 insertions(+), 2 deletions(-)
> > >
> > >diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
> > >index 3b1a240..52307cb 100644
> > >--- a/lib/telemetry/telemetry_data.c
> > >+++ b/lib/telemetry/telemetry_data.c
> > >@@ -41,12 +41,13 @@
> > >  int
> > >  rte_tel_data_string(struct rte_tel_data *d, const char *str)
> > >  {
> > >+	const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
> > sizeof(d->data.str) is equal to RTE_TEL_MAX_SINGLE_STRING_LEN(8192).
> > So It seems that this truncation probably will not happen.
> 
> agreed, regardless the data type choices permit a size that exceeds the
> range of the narrower type and the assignment results in a warning being
> generated on some targets. that's why the truncating cast is safe to
> add.
> 
> none of this would be necessary if data_len had been appropriately typed
> as size_t.  Bruce should we be changing the type instead since we are in
> 23.11 merge window...?
> 
I'm fine either way, to be honest.
  
David Marchand Feb. 1, 2024, 11:45 a.m. UTC | #5
On Tue, Aug 8, 2023 at 8:35 PM Bruce Richardson
<bruce.richardson@intel.com> wrote:
>
> On Tue, Aug 08, 2023 at 10:59:37AM -0700, Tyler Retzlaff wrote:
> > On Tue, Aug 08, 2023 at 10:24:41AM +0800, lihuisong (C) wrote:
> > >
> > > 在 2023/8/3 5:21, Tyler Retzlaff 写道:
> > > >strlcpy returns type size_t when directly assigning to
> > > >struct rte_tel_data data_len field it may be truncated leading to
> > > >compromised length check that follows
> > > >
> > > >Since the limit in the check is < UINT_MAX the value returned is
> > > >safe to be cast to unsigned int (which may be narrower than size_t)
> > > >but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
> > > >
> > > >Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
> > > >---
> > > >  lib/telemetry/telemetry_data.c | 5 +++--
> > > >  1 file changed, 3 insertions(+), 2 deletions(-)
> > > >
> > > >diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
> > > >index 3b1a240..52307cb 100644
> > > >--- a/lib/telemetry/telemetry_data.c
> > > >+++ b/lib/telemetry/telemetry_data.c
> > > >@@ -41,12 +41,13 @@
> > > >  int
> > > >  rte_tel_data_string(struct rte_tel_data *d, const char *str)
> > > >  {
> > > >+  const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
> > > sizeof(d->data.str) is equal to RTE_TEL_MAX_SINGLE_STRING_LEN(8192).
> > > So It seems that this truncation probably will not happen.
> >
> > agreed, regardless the data type choices permit a size that exceeds the
> > range of the narrower type and the assignment results in a warning being
> > generated on some targets. that's why the truncating cast is safe to
> > add.
> >
> > none of this would be necessary if data_len had been appropriately typed
> > as size_t.  Bruce should we be changing the type instead since we are in
> > 23.11 merge window...?
> >
> I'm fine either way, to be honest.

Can we conclude?
struct rte_tel_data seems internal (at least opaque from an
application pov), so I suppose the option of changing data_len to
size_t is still on the table.

And we are missing a Fixes: tag too.

Thanks.
  
Tyler Retzlaff Feb. 1, 2024, 4:42 p.m. UTC | #6
On Thu, Feb 01, 2024 at 12:45:43PM +0100, David Marchand wrote:
> On Tue, Aug 8, 2023 at 8:35 PM Bruce Richardson
> <bruce.richardson@intel.com> wrote:
> >
> > On Tue, Aug 08, 2023 at 10:59:37AM -0700, Tyler Retzlaff wrote:
> > > On Tue, Aug 08, 2023 at 10:24:41AM +0800, lihuisong (C) wrote:
> > > >
> > > > 在 2023/8/3 5:21, Tyler Retzlaff 写道:
> > > > >strlcpy returns type size_t when directly assigning to
> > > > >struct rte_tel_data data_len field it may be truncated leading to
> > > > >compromised length check that follows
> > > > >
> > > > >Since the limit in the check is < UINT_MAX the value returned is
> > > > >safe to be cast to unsigned int (which may be narrower than size_t)
> > > > >but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
> > > > >
> > > > >Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
> > > > >---
> > > > >  lib/telemetry/telemetry_data.c | 5 +++--
> > > > >  1 file changed, 3 insertions(+), 2 deletions(-)
> > > > >
> > > > >diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
> > > > >index 3b1a240..52307cb 100644
> > > > >--- a/lib/telemetry/telemetry_data.c
> > > > >+++ b/lib/telemetry/telemetry_data.c
> > > > >@@ -41,12 +41,13 @@
> > > > >  int
> > > > >  rte_tel_data_string(struct rte_tel_data *d, const char *str)
> > > > >  {
> > > > >+  const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
> > > > sizeof(d->data.str) is equal to RTE_TEL_MAX_SINGLE_STRING_LEN(8192).
> > > > So It seems that this truncation probably will not happen.
> > >
> > > agreed, regardless the data type choices permit a size that exceeds the
> > > range of the narrower type and the assignment results in a warning being
> > > generated on some targets. that's why the truncating cast is safe to
> > > add.
> > >
> > > none of this would be necessary if data_len had been appropriately typed
> > > as size_t.  Bruce should we be changing the type instead since we are in
> > > 23.11 merge window...?
> > >
> > I'm fine either way, to be honest.
> 
> Can we conclude?
> struct rte_tel_data seems internal (at least opaque from an
> application pov), so I suppose the option of changing data_len to
> size_t is still on the table.
> 
> And we are missing a Fixes: tag too.

there is actually a general pattern of this problem across dpdk tree and
this fixes one instance.

i've marked the patch as rejected for now and hope to come back with a
more comprehensive series after msvc work is merged.

ty

> 
> Thanks.
> 
> -- 
> David Marchand
  

Patch

diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
index 3b1a240..52307cb 100644
--- a/lib/telemetry/telemetry_data.c
+++ b/lib/telemetry/telemetry_data.c
@@ -41,12 +41,13 @@ 
 int
 rte_tel_data_string(struct rte_tel_data *d, const char *str)
 {
+	const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
 	d->type = TEL_STRING;
-	d->data_len = strlcpy(d->data.str, str, sizeof(d->data.str));
-	if (d->data_len >= RTE_TEL_MAX_SINGLE_STRING_LEN) {
+	if (len >= RTE_TEL_MAX_SINGLE_STRING_LEN) {
 		d->data_len = RTE_TEL_MAX_SINGLE_STRING_LEN - 1;
 		return E2BIG; /* not necessarily and error, just truncation */
 	}
+	d->data_len = (unsigned int)len;
 	return 0;
 }