telemetry: avoid truncation of strlcpy return before check
Checks
Commit Message
strlcpy returns type size_t when directly assigning to
struct rte_tel_data data_len field it may be truncated leading to
compromised length check that follows
Since the limit in the check is < UINT_MAX the value returned is
safe to be cast to unsigned int (which may be narrower than size_t)
but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
---
lib/telemetry/telemetry_data.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
Comments
On Wed, Aug 02, 2023 at 02:21:01PM -0700, Tyler Retzlaff wrote:
> strlcpy returns type size_t when directly assigning to
> struct rte_tel_data data_len field it may be truncated leading to
> compromised length check that follows
>
> Since the limit in the check is < UINT_MAX the value returned is
> safe to be cast to unsigned int (which may be narrower than size_t)
> but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
>
> Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
> ---
Acked-by: Bruce Richardson <bruce.richardson@intel.com>
This probably should be marked as a fix for backport.
> lib/telemetry/telemetry_data.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
> index 3b1a240..52307cb 100644
> --- a/lib/telemetry/telemetry_data.c
> +++ b/lib/telemetry/telemetry_data.c
> @@ -41,12 +41,13 @@
> int
> rte_tel_data_string(struct rte_tel_data *d, const char *str)
> {
> + const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
> d->type = TEL_STRING;
> - d->data_len = strlcpy(d->data.str, str, sizeof(d->data.str));
> - if (d->data_len >= RTE_TEL_MAX_SINGLE_STRING_LEN) {
> + if (len >= RTE_TEL_MAX_SINGLE_STRING_LEN) {
> d->data_len = RTE_TEL_MAX_SINGLE_STRING_LEN - 1;
> return E2BIG; /* not necessarily and error, just truncation */
> }
> + d->data_len = (unsigned int)len;
> return 0;
> }
>
> --
> 1.8.3.1
>
在 2023/8/3 5:21, Tyler Retzlaff 写道:
> strlcpy returns type size_t when directly assigning to
> struct rte_tel_data data_len field it may be truncated leading to
> compromised length check that follows
>
> Since the limit in the check is < UINT_MAX the value returned is
> safe to be cast to unsigned int (which may be narrower than size_t)
> but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
>
> Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
> ---
> lib/telemetry/telemetry_data.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
> index 3b1a240..52307cb 100644
> --- a/lib/telemetry/telemetry_data.c
> +++ b/lib/telemetry/telemetry_data.c
> @@ -41,12 +41,13 @@
> int
> rte_tel_data_string(struct rte_tel_data *d, const char *str)
> {
> + const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
sizeof(d->data.str) is equal to RTE_TEL_MAX_SINGLE_STRING_LEN(8192).
So It seems that this truncation probably will not happen.
> d->type = TEL_STRING;
> - d->data_len = strlcpy(d->data.str, str, sizeof(d->data.str));
> - if (d->data_len >= RTE_TEL_MAX_SINGLE_STRING_LEN) {
> + if (len >= RTE_TEL_MAX_SINGLE_STRING_LEN) {
> d->data_len = RTE_TEL_MAX_SINGLE_STRING_LEN - 1;
> return E2BIG; /* not necessarily and error, just truncation */
> }
> + d->data_len = (unsigned int)len;
> return 0;
> }
>
On Tue, Aug 08, 2023 at 10:24:41AM +0800, lihuisong (C) wrote:
>
> 在 2023/8/3 5:21, Tyler Retzlaff 写道:
> >strlcpy returns type size_t when directly assigning to
> >struct rte_tel_data data_len field it may be truncated leading to
> >compromised length check that follows
> >
> >Since the limit in the check is < UINT_MAX the value returned is
> >safe to be cast to unsigned int (which may be narrower than size_t)
> >but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
> >
> >Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
> >---
> > lib/telemetry/telemetry_data.c | 5 +++--
> > 1 file changed, 3 insertions(+), 2 deletions(-)
> >
> >diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
> >index 3b1a240..52307cb 100644
> >--- a/lib/telemetry/telemetry_data.c
> >+++ b/lib/telemetry/telemetry_data.c
> >@@ -41,12 +41,13 @@
> > int
> > rte_tel_data_string(struct rte_tel_data *d, const char *str)
> > {
> >+ const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
> sizeof(d->data.str) is equal to RTE_TEL_MAX_SINGLE_STRING_LEN(8192).
> So It seems that this truncation probably will not happen.
agreed, regardless the data type choices permit a size that exceeds the
range of the narrower type and the assignment results in a warning being
generated on some targets. that's why the truncating cast is safe to
add.
none of this would be necessary if data_len had been appropriately typed
as size_t. Bruce should we be changing the type instead since we are in
23.11 merge window...?
On Tue, Aug 08, 2023 at 10:59:37AM -0700, Tyler Retzlaff wrote:
> On Tue, Aug 08, 2023 at 10:24:41AM +0800, lihuisong (C) wrote:
> >
> > 在 2023/8/3 5:21, Tyler Retzlaff 写道:
> > >strlcpy returns type size_t when directly assigning to
> > >struct rte_tel_data data_len field it may be truncated leading to
> > >compromised length check that follows
> > >
> > >Since the limit in the check is < UINT_MAX the value returned is
> > >safe to be cast to unsigned int (which may be narrower than size_t)
> > >but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
> > >
> > >Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
> > >---
> > > lib/telemetry/telemetry_data.c | 5 +++--
> > > 1 file changed, 3 insertions(+), 2 deletions(-)
> > >
> > >diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
> > >index 3b1a240..52307cb 100644
> > >--- a/lib/telemetry/telemetry_data.c
> > >+++ b/lib/telemetry/telemetry_data.c
> > >@@ -41,12 +41,13 @@
> > > int
> > > rte_tel_data_string(struct rte_tel_data *d, const char *str)
> > > {
> > >+ const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
> > sizeof(d->data.str) is equal to RTE_TEL_MAX_SINGLE_STRING_LEN(8192).
> > So It seems that this truncation probably will not happen.
>
> agreed, regardless the data type choices permit a size that exceeds the
> range of the narrower type and the assignment results in a warning being
> generated on some targets. that's why the truncating cast is safe to
> add.
>
> none of this would be necessary if data_len had been appropriately typed
> as size_t. Bruce should we be changing the type instead since we are in
> 23.11 merge window...?
>
I'm fine either way, to be honest.
On Tue, Aug 8, 2023 at 8:35 PM Bruce Richardson
<bruce.richardson@intel.com> wrote:
>
> On Tue, Aug 08, 2023 at 10:59:37AM -0700, Tyler Retzlaff wrote:
> > On Tue, Aug 08, 2023 at 10:24:41AM +0800, lihuisong (C) wrote:
> > >
> > > 在 2023/8/3 5:21, Tyler Retzlaff 写道:
> > > >strlcpy returns type size_t when directly assigning to
> > > >struct rte_tel_data data_len field it may be truncated leading to
> > > >compromised length check that follows
> > > >
> > > >Since the limit in the check is < UINT_MAX the value returned is
> > > >safe to be cast to unsigned int (which may be narrower than size_t)
> > > >but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
> > > >
> > > >Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
> > > >---
> > > > lib/telemetry/telemetry_data.c | 5 +++--
> > > > 1 file changed, 3 insertions(+), 2 deletions(-)
> > > >
> > > >diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
> > > >index 3b1a240..52307cb 100644
> > > >--- a/lib/telemetry/telemetry_data.c
> > > >+++ b/lib/telemetry/telemetry_data.c
> > > >@@ -41,12 +41,13 @@
> > > > int
> > > > rte_tel_data_string(struct rte_tel_data *d, const char *str)
> > > > {
> > > >+ const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
> > > sizeof(d->data.str) is equal to RTE_TEL_MAX_SINGLE_STRING_LEN(8192).
> > > So It seems that this truncation probably will not happen.
> >
> > agreed, regardless the data type choices permit a size that exceeds the
> > range of the narrower type and the assignment results in a warning being
> > generated on some targets. that's why the truncating cast is safe to
> > add.
> >
> > none of this would be necessary if data_len had been appropriately typed
> > as size_t. Bruce should we be changing the type instead since we are in
> > 23.11 merge window...?
> >
> I'm fine either way, to be honest.
Can we conclude?
struct rte_tel_data seems internal (at least opaque from an
application pov), so I suppose the option of changing data_len to
size_t is still on the table.
And we are missing a Fixes: tag too.
Thanks.
On Thu, Feb 01, 2024 at 12:45:43PM +0100, David Marchand wrote:
> On Tue, Aug 8, 2023 at 8:35 PM Bruce Richardson
> <bruce.richardson@intel.com> wrote:
> >
> > On Tue, Aug 08, 2023 at 10:59:37AM -0700, Tyler Retzlaff wrote:
> > > On Tue, Aug 08, 2023 at 10:24:41AM +0800, lihuisong (C) wrote:
> > > >
> > > > 在 2023/8/3 5:21, Tyler Retzlaff 写道:
> > > > >strlcpy returns type size_t when directly assigning to
> > > > >struct rte_tel_data data_len field it may be truncated leading to
> > > > >compromised length check that follows
> > > > >
> > > > >Since the limit in the check is < UINT_MAX the value returned is
> > > > >safe to be cast to unsigned int (which may be narrower than size_t)
> > > > >but only after being checked against RTE_TEL_MAX_SINGLE_STRING_LEN
> > > > >
> > > > >Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
> > > > >---
> > > > > lib/telemetry/telemetry_data.c | 5 +++--
> > > > > 1 file changed, 3 insertions(+), 2 deletions(-)
> > > > >
> > > > >diff --git a/lib/telemetry/telemetry_data.c b/lib/telemetry/telemetry_data.c
> > > > >index 3b1a240..52307cb 100644
> > > > >--- a/lib/telemetry/telemetry_data.c
> > > > >+++ b/lib/telemetry/telemetry_data.c
> > > > >@@ -41,12 +41,13 @@
> > > > > int
> > > > > rte_tel_data_string(struct rte_tel_data *d, const char *str)
> > > > > {
> > > > >+ const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
> > > > sizeof(d->data.str) is equal to RTE_TEL_MAX_SINGLE_STRING_LEN(8192).
> > > > So It seems that this truncation probably will not happen.
> > >
> > > agreed, regardless the data type choices permit a size that exceeds the
> > > range of the narrower type and the assignment results in a warning being
> > > generated on some targets. that's why the truncating cast is safe to
> > > add.
> > >
> > > none of this would be necessary if data_len had been appropriately typed
> > > as size_t. Bruce should we be changing the type instead since we are in
> > > 23.11 merge window...?
> > >
> > I'm fine either way, to be honest.
>
> Can we conclude?
> struct rte_tel_data seems internal (at least opaque from an
> application pov), so I suppose the option of changing data_len to
> size_t is still on the table.
>
> And we are missing a Fixes: tag too.
there is actually a general pattern of this problem across dpdk tree and
this fixes one instance.
i've marked the patch as rejected for now and hope to come back with a
more comprehensive series after msvc work is merged.
ty
>
> Thanks.
>
> --
> David Marchand
@@ -41,12 +41,13 @@
int
rte_tel_data_string(struct rte_tel_data *d, const char *str)
{
+ const size_t len = strlcpy(d->data.str, str, sizeof(d->data.str));
d->type = TEL_STRING;
- d->data_len = strlcpy(d->data.str, str, sizeof(d->data.str));
- if (d->data_len >= RTE_TEL_MAX_SINGLE_STRING_LEN) {
+ if (len >= RTE_TEL_MAX_SINGLE_STRING_LEN) {
d->data_len = RTE_TEL_MAX_SINGLE_STRING_LEN - 1;
return E2BIG; /* not necessarily and error, just truncation */
}
+ d->data_len = (unsigned int)len;
return 0;
}