Details

Reviewers

emaste
brooks

Commits

rG25945af47e7a: tftpd: silence gcc overflow warnings

Summary

GCC 13 complains that we might be writing too much to an on-stack buffer
when createing a filename with the following warnings:

tftpd.c: In function 'validate_access':
tftpd.c:643:40: warning: '.' directive
writing 1 byte into a region of size between 0 and 1023 [-Wformat-overflow=]

643 |                 sprintf(newname, "%s.%s.%02d", filename, yyyymmdd, i);
    |                                        ^

In function 'find_next_name',

inlined from 'validate_access' at

tftpd.c:762:13:
tftpd.c:643:34: note: directive argument in the range [0, 99]

643 |                 sprintf(newname, "%s.%s.%02d", filename, yyyymmdd, i);
    |                                  ^~~~~~~~~~~~

tftpd.c:643:17: note: 'sprintf' output 5 or more bytes (assuming 1028) into a destination of size 1024

643 |                 sprintf(newname, "%s.%s.%02d", filename, yyyymmdd, i);
    |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In practice there is a check that filename isn't too long given the
time format and other static characters so GCC is incorrect, but GCC
isn't wrong that we're potentially trying to put a MAXPATHLEN length
string + some other characters into a MAXPATHLEN buffer (if you ignore
the check GCC can't realistically evaluate at compile time).

Switch to snprintf to populate filename to ensure that future logic
errors don't result in a stack overflow.

Shorten the questionably named yyyymmdd buffer enough to slience the
warning (checking the snprintf return value isn't sufficent) while
preserving maximum flexibility for admins who use the -F option.

Use a define in place of the magic 5.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

brooks created this revision.Fri, May 3, 9:16 PM

Herald added a subscriber: imp. · View Herald TranscriptFri, May 3, 9:16 PM

brooks requested review of this revision.Fri, May 3, 9:16 PM

Harbormaster completed remote builds in B57578: Diff 138127.Fri, May 3, 9:16 PM

des requested changes to this revision.Fri, May 3, 10:48 PM

des added inline comments.

libexec/tftpd/tftpd.c
635–636	this is off by one (but purely cosmetic)
641–642	this is also off by one, and unfortunately not purely cosmetic
644–646	off by one again
652	gcc does not respect `(void)`.

This revision now requires changes to proceed.Fri, May 3, 10:48 PM

des added inline comments.Fri, May 3, 10:49 PM

libexec/tftpd/tftpd.c
635–636	correction, it was off by one originally, now it is off by `FILE_SUFFIX_SIZE + 1`.

Graturiously check the return of sprintf because glibc's headers
require it when compiling with gcc.

Harbormaster completed remote builds in B57583: Diff 138132.Fri, May 3, 10:59 PM

brooks added inline comments.Fri, May 3, 11:20 PM

libexec/tftpd/tftpd.c
641–642	This is equivalent to `strlen(filename) + len + FILE_SUFFIX_SIZE > MAXPATHLEN` which is fine because FILE_SUFFIX_SIZE includes the terminator (hence the use of `sizeof("..nn")` and not `strlen("..nn")`.

des added inline comments.Fri, May 3, 11:33 PM

libexec/tftpd/tftpd.c
641–642	ok but we're still logging the wrong number when `strftime()` fails

Fix strftime log message. Prefer sizeof(buffer) to bare MAXPATHLEN.

Harbormaster completed remote builds in B57584: Diff 138134.Fri, May 3, 11:55 PM

brooks marked 6 inline comments as done.Fri, May 3, 11:58 PM

I think I've addressed everything. There might be argument for just using a pragma push/pop to disable the warnings instead of adding checks, but I've already spent more time then this code is worth.

des accepted this revision.Sat, May 4, 8:16 AM

des added inline comments.

libexec/tftpd/tftpd.c
652–661	Purely cosmetic but I find 0666 easier to read and interpret than this alphabet soup, plus it makes the entire `open()` call fit on one line.

This revision is now accepted and ready to land.Sat, May 4, 8:16 AM

Sorry, I just realized that this is still incorrect. If FILE_SUFFIX_SIZE includes space for the terminator then yyyymmdd is too short. The difference between yyyymmdd and newname should be 4, not 5.

This revision now requires changes to proceed.Sat, May 4, 8:59 AM

Would you like me to commandeer this?

In D45086#1029238, @des wrote:

Would you like me to commandeer this?

Sure

des commandeered this revision.Thu, May 9, 10:20 AM

des edited reviewers, added: brooks; removed: des.

This revision now requires review to proceed.Thu, May 9, 10:20 AM

des retitled this revision from tftpd: silence gcc -Wformat-overflow warnings to tftpd: silence gcc overflow warnings.Thu, May 9, 10:20 AM

fix length / size confusion

Harbormaster completed remote builds in B57635: Diff 138284.Thu, May 9, 10:55 AM

off by one

Harbormaster completed remote builds in B57650: Diff 138332.Fri, May 10, 6:11 AM

Thanks for picking this up, you went a similarly direction to what I was thinking, but I've been at a conference and traveling home so distracted.

This revision is now accepted and ready to land.Fri, May 10, 5:00 PM

Closed by commit rG25945af47e7a: tftpd: silence gcc overflow warnings (authored by des). · Explain WhyFri, May 10, 9:17 PM

This revision was automatically updated to reflect the committed changes.

des added a commit: rG25945af47e7a: tftpd: silence gcc overflow warnings.

des mentioned this in rG626ee3cac845: tftpd: Add missing `-S` option to synopsis..Tue, May 14, 6:59 AM

tftpd: silence gcc overflow warnings
ClosedPublic
Actions

Details

Diff Detail

Event Timeline

Revision Contents
Changeset List

Diff 138385

libexec/tftpd/tftpd.c

tftpd: silence gcc overflow warningsClosedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 138385

libexec/tftpd/tftpd.c

tftpd: silence gcc overflow warnings
ClosedPublic
Actions

Revision Contents
Changeset List