[PATCH] lib/util: fix timespec normalization
Philipp Gesang
philipp.gesang at intra2net.com
Fri Jan 18 15:46:46 UTC 2019
-<| Quoting Volker Lendecke via samba-technical <Volker.Lendecke at SerNet.DE>, on Friday, 2019-01-18 11:36:11 AM |>-
> On Thu, Jan 17, 2019 at 05:07:18PM +0100, Philipp Gesang wrote:
> > -<| Quoting Volker Lendecke via samba-technical <Volker.Lendecke at SerNet.DE>, on Thursday, 2019-01-17 11:58:16 AM |>-
> > > On Thu, Jan 17, 2019 at 11:40:48AM +0100, Philipp Gesang via samba-technical wrote:
> > > > +
> > > > +/****************************************************************************
> > > > + Deal with nanoseconds overflow.
> > > > +****************************************************************************/
> > > > +
> > > > +void normalize_timespec(struct timespec *ts)
> > > > +{
> > > > + while (ts->tv_nsec >= NSEC_PER_SEC) {
> > > > + ++ts->tv_sec;
> > > > + ts->tv_nsec -= NSEC_PER_SEC;
> > > > + }
> > > > + while (ts->tv_nsec < 0) {
> > > > + --ts->tv_sec;
> > > > + ts->tv_nsec += NSEC_PER_SEC;
> > > > + }
> > > > +}
> > >
> > > This looks a bit inefficient to be honest. Shouldn't that be faster
> > > doing some modulo-magic?
> >
> > Unless something is severely wrong, there shouldn’t be more than
> > the sum of two valid tv_nsec in there so the loop is unlikely to
> > run more than once. Also on 32 bit, it’ll run at most twice on
> > account of tv_nsec being long.
> >
> > Anyways, attached is a variant that uses lldiv instead.
>
> Better, thanks!
>
> I know it's tedious, but if we touch this lowlevel code we should get
> the details right with our coding guidelines. Thus two nit-picks:
>
> > +/****************************************************************************
> > + Deal with nanoseconds overflow.
> > +****************************************************************************/
> > +
> > +void normalize_timespec(struct timespec *ts)
> > +{
> > + lldiv_t dres;
> > +
> > + /* most likely case: nsec is valid */
> > + if ((unsigned long)ts->tv_nsec < NSEC_PER_SEC) return;
>
> Please add { } even around a single statement to avoid something like
> CVE-2014-1266.
Ok.
> > + dres = lldiv(ts->tv_nsec, NSEC_PER_SEC);
> > + ts->tv_nsec = dres.rem;
> > + ts->tv_sec += dres.quot;
>
> tv_sec is a signed number. We should check for overflow here. I know
> this is a "can't happen", but you never know. Here we might just abort
> if it flows over.
I’ve gone with saturating the values instead of aborting outright.
> > + /* if the ns part was positive or muliple of -1000000000, we're done */
> > + if (ts->tv_nsec > 0 || dres.rem == 0) return;
>
> { } please :-)
No problem ;)
New patch attached.
Best,
Philipp
-------------- next part --------------
From efe64fe8d0e5665c0791cdf32a2b406bf729bcc0 Mon Sep 17 00:00:00 2001
From: Philipp Gesang <philipp.gesang at intra2net.com>
Date: Thu, 17 Jan 2019 11:06:26 +0100
Subject: [PATCH v3] lib/util: fix timespec normalization
When fixing up timespec structs, negative values for the ns part
should be taken into account. Also, the range for a valid ns part
is [0, 1000000000), not [0, 1000000000].
Signed-off-by: Philipp Gesang <philipp.gesang at intra2net.com>
---
lib/util/tests/time.c | 54 +++++++++++++++++++++++++++++++++++++++++++
lib/util/time.c | 53 +++++++++++++++++++++++++++++++++++-------
lib/util/time.h | 1 +
3 files changed, 100 insertions(+), 8 deletions(-)
diff --git a/lib/util/tests/time.c b/lib/util/tests/time.c
index fce0eef5e2e..a19233d4afc 100644
--- a/lib/util/tests/time.c
+++ b/lib/util/tests/time.c
@@ -82,6 +82,58 @@ static bool test_timestring(struct torture_context *tctx)
return true;
}
+static bool test_normalize_timespec(struct torture_context *tctx)
+{
+ const struct {
+ time_t in_s; long in_ns;
+ time_t out_s; long out_ns;
+ } data [] = {
+ { 0, 0, 0, 0 }
+ , { 1, 0, 1, 0 }
+ , { -1, 0, -1, 0 }
+ , { 0, 1000000000, 1, 0 }
+ , { 0, 2000000000, 2, 0 }
+ , { 0, 1000000001, 1, 1 }
+ , { 0, 2000000001, 2, 1 }
+ , { 0, -1000000000, -1, 0 }
+ , { 0, -2000000000, -2, 0 }
+ , { 0, -1000000001, -2, 999999999 }
+ , { 0, -2000000001, -3, 999999999 }
+ , { 0, -1, -1, 999999999 }
+ , { 1, -1, 0, 999999999 }
+ , { -1, -1, -2, 999999999 }
+ , { 0, 999999999, 0, 999999999 }
+ , { 0, 1999999999, 1, 999999999 }
+ , { 0, 2999999999, 2, 999999999 }
+ , { 0, -999999999, -1, 1 }
+ , { 0, -1999999999, -2, 1 }
+ , { 0, -2999999999, -3, 1 }
+ , { LONG_MAX, 1000000001, LONG_MAX, 999999999 } /* overflow */
+ , { LONG_MAX, 999999999, LONG_MAX, 999999999 } /* harmless */
+ , { LONG_MAX, -1, LONG_MAX-1, 999999999 } /* -1 */
+ , { LONG_MIN, -1000000001, LONG_MIN, 0 } /* overflow */
+ , { LONG_MIN, 0, LONG_MIN, 0 } /* harmless */
+ , { LONG_MIN, 1000000000, LONG_MIN+1, 0 } /* +1 */
+ };
+
+ for (int i = 0; i < sizeof(data) / sizeof(data[0]); ++i) {
+ struct timespec ts = (struct timespec)
+ { .tv_sec = data[i].in_s
+ , .tv_nsec = data[i].in_ns };
+ //fprintf(stderr, "[%d] %ld s, %ld ns\n",
+ //i, ts.tv_sec, ts.tv_nsec);
+
+ normalize_timespec(&ts);
+
+ torture_assert_int_equal(tctx, ts.tv_sec, data[i].out_s,
+ "mismatch in tv_sec");
+ torture_assert_int_equal(tctx, ts.tv_nsec, data[i].out_ns,
+ "mismatch in tv_nsec");
+ }
+
+ return true;
+}
+
struct torture_suite *torture_local_util_time(TALLOC_CTX *mem_ctx)
{
struct torture_suite *suite = torture_suite_create(mem_ctx, "time");
@@ -92,6 +144,8 @@ struct torture_suite *torture_local_util_time(TALLOC_CTX *mem_ctx)
test_http_timestring);
torture_suite_add_simple_test(suite, "timestring",
test_timestring);
+ torture_suite_add_simple_test(suite, "normalize_timespec",
+ test_normalize_timespec);
return suite;
}
diff --git a/lib/util/time.c b/lib/util/time.c
index bd067f84e8e..9dfea1798b2 100644
--- a/lib/util/time.c
+++ b/lib/util/time.c
@@ -39,6 +39,7 @@
#endif
+#define NSEC_PER_SEC 1000000000
/**
External access to time_t_min and time_t_max.
@@ -88,10 +89,7 @@ _PUBLIC_ time_t time_mono(time_t *t)
time_t convert_timespec_to_time_t(struct timespec ts)
{
/* Ensure tv_nsec is less than 1sec. */
- while (ts.tv_nsec > 1000000000) {
- ts.tv_sec += 1;
- ts.tv_nsec -= 1000000000;
- }
+ normalize_timespec(&ts);
/* 1 ns == 1,000,000,000 - one thousand millionths of a second.
increment if it's greater than 500 millionth of a second. */
@@ -950,10 +948,7 @@ void round_timespec_to_usec(struct timespec *ts)
{
struct timeval tv = convert_timespec_to_timeval(*ts);
*ts = convert_timeval_to_timespec(tv);
- while (ts->tv_nsec > 1000000000) {
- ts->tv_sec += 1;
- ts->tv_nsec -= 1000000000;
- }
+ normalize_timespec(ts);
}
/****************************************************************************
@@ -982,3 +977,45 @@ _PUBLIC_ NTTIME unix_timespec_to_nt_time(struct timespec ts)
return d;
}
+
+/****************************************************************************
+ Deal with nanoseconds overflow.
+****************************************************************************/
+
+void normalize_timespec(struct timespec *ts)
+{
+ lldiv_t dres;
+
+ /* most likely case: nsec is valid */
+ if ((unsigned long)ts->tv_nsec < NSEC_PER_SEC) {
+ return;
+ }
+
+ dres = lldiv(ts->tv_nsec, NSEC_PER_SEC);
+
+ /* if the operation would result in overflow, max out values and bail */
+ if (dres.quot > 0) {
+ if ((int64_t)LONG_MAX - dres.quot < ts->tv_sec) {
+ ts->tv_sec = LONG_MAX;
+ ts->tv_nsec = NSEC_PER_SEC - 1;
+ return;
+ }
+ } else {
+ if ((int64_t)LONG_MIN - dres.quot > ts->tv_sec) {
+ ts->tv_sec = LONG_MIN;
+ ts->tv_nsec = 0;
+ return;
+ }
+ }
+
+ ts->tv_nsec = dres.rem;
+ ts->tv_sec += dres.quot;
+
+ /* if the ns part was positive or a multiple of -1000000000, we're done */
+ if (ts->tv_nsec > 0 || dres.rem == 0) {
+ return;
+ }
+
+ ts->tv_nsec += NSEC_PER_SEC;
+ --ts->tv_sec;
+}
diff --git a/lib/util/time.h b/lib/util/time.h
index 1988b330576..2cfa1fa9039 100644
--- a/lib/util/time.h
+++ b/lib/util/time.h
@@ -329,5 +329,6 @@ int timespec_compare(const struct timespec *ts1, const struct timespec *ts2);
void round_timespec_to_sec(struct timespec *ts);
void round_timespec_to_usec(struct timespec *ts);
NTTIME unix_timespec_to_nt_time(struct timespec ts);
+void normalize_timespec(struct timespec *ts);
#endif /* _SAMBA_TIME_H_ */
--
2.17.2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190118/8a5fdb71/signature.sig>
More information about the samba-technical
mailing list