Page MenuHomeFreeBSD

tftpd: silence gcc overflow warnings
ClosedPublic

Authored by des on May 3 2024, 9:16 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Dec 3, 1:02 AM
Unknown Object (File)
Nov 27 2024, 3:45 AM
Unknown Object (File)
Nov 22 2024, 10:46 PM
Unknown Object (File)
Oct 22 2024, 1:39 PM
Unknown Object (File)
Sep 23 2024, 4:23 AM
Unknown Object (File)
Sep 23 2024, 4:18 AM
Unknown Object (File)
Sep 23 2024, 4:18 AM
Unknown Object (File)
Sep 23 2024, 4:18 AM
Subscribers

Details

Summary

GCC 13 complains that we might be writing too much to an on-stack buffer
when createing a filename with the following warnings:

tftpd.c: In function 'validate_access':
tftpd.c:643:40: warning: '.' directive
writing 1 byte into a region of size between 0 and 1023 [-Wformat-overflow=]

643 |                 sprintf(newname, "%s.%s.%02d", filename, yyyymmdd, i);
    |                                        ^

In function 'find_next_name',

inlined from 'validate_access' at

tftpd.c:762:13:
tftpd.c:643:34: note: directive argument in the range [0, 99]

643 |                 sprintf(newname, "%s.%s.%02d", filename, yyyymmdd, i);
    |                                  ^~~~~~~~~~~~

tftpd.c:643:17: note: 'sprintf' output 5 or more bytes (assuming 1028) into a destination of size 1024

643 |                 sprintf(newname, "%s.%s.%02d", filename, yyyymmdd, i);
    |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In practice there is a check that filename isn't too long given the
time format and other static characters so GCC is incorrect, but GCC
isn't wrong that we're potentially trying to put a MAXPATHLEN length
string + some other characters into a MAXPATHLEN buffer (if you ignore
the check GCC can't realistically evaluate at compile time).

Switch to snprintf to populate filename to ensure that future logic
errors don't result in a stack overflow.

Shorten the questionably named yyyymmdd buffer enough to slience the
warning (checking the snprintf return value isn't sufficent) while
preserving maximum flexibility for admins who use the -F option.

Use a define in place of the magic 5.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

brooks requested review of this revision.May 3 2024, 9:16 PM
des requested changes to this revision.May 3 2024, 10:48 PM
des added inline comments.
libexec/tftpd/tftpd.c
635–636

this is off by one (but purely cosmetic)

641–642

this is also off by one, and unfortunately not purely cosmetic

644–646

off by one again

652

gcc does not respect (void).

This revision now requires changes to proceed.May 3 2024, 10:48 PM
libexec/tftpd/tftpd.c
635–636

correction, it was off by one originally, now it is off by FILE_SUFFIX_SIZE + 1.

Graturiously check the return of sprintf because glibc's headers
require it when compiling with gcc.

libexec/tftpd/tftpd.c
641–642

This is equivalent to strlen(filename) + len + FILE_SUFFIX_SIZE > MAXPATHLEN which is fine because FILE_SUFFIX_SIZE includes the terminator (hence the use of sizeof("..nn") and not strlen("..nn").

libexec/tftpd/tftpd.c
641–642

ok but we're still logging the wrong number when strftime() fails

Fix strftime log message. Prefer sizeof(buffer) to bare MAXPATHLEN.

I think I've addressed everything. There might be argument for just using a pragma push/pop to disable the warnings instead of adding checks, but I've already spent more time then this code is worth.

des added inline comments.
libexec/tftpd/tftpd.c
652–661

Purely cosmetic but I find 0666 easier to read and interpret than this alphabet soup, plus it makes the entire open() call fit on one line.

This revision is now accepted and ready to land.May 4 2024, 8:16 AM
des requested changes to this revision.May 4 2024, 8:59 AM

Sorry, I just realized that this is still incorrect. If FILE_SUFFIX_SIZE includes space for the terminator then yyyymmdd is too short. The difference between yyyymmdd and newname should be 4, not 5.

This revision now requires changes to proceed.May 4 2024, 8:59 AM

Would you like me to commandeer this?

In D45086#1029238, @des wrote:

Would you like me to commandeer this?

Sure

des edited reviewers, added: brooks; removed: des.
This revision now requires review to proceed.May 9 2024, 10:20 AM
des retitled this revision from tftpd: silence gcc -Wformat-overflow warnings to tftpd: silence gcc overflow warnings.May 9 2024, 10:20 AM

fix length / size confusion

Thanks for picking this up, you went a similarly direction to what I was thinking, but I've been at a conference and traveling home so distracted.

This revision is now accepted and ready to land.May 10 2024, 5:00 PM
This revision was automatically updated to reflect the committed changes.