[PATCH] Fix string to integer conversion for occurences in source3
swen
swen at linux.ibm.com
Fri Jan 11 08:59:09 UTC 2019
On Thu, 2019-01-10 at 12:09 -0800, Jeremy Allison wrote:
> On Thu, Jan 10, 2019 at 06:54:51PM +0100, swen via samba-technical
> wrote:
> > This is patchset is the successor of the mail thread
> > [PATCH] [tldap] check for successful string conversion
> > which I had with Volker today.
> >
> > As stated in the subject this patch-set updates all occurences of
> > the usage strtoul(l) to verify the result is valid.
> >
> > Please review and push if happy.
> >
> > Thanks for your support in advance.
Hi Jeremy,
thanks for your quick and comprehensive response,
now I'm confident again that we'll find a solution
for the technical issue.
>
> Hi Swen,
>
> I followed the conversation with Volker on the strtoul(l)
> saga, and in the epic words of Futurama, you are "Technically
> Correct, The Best Kind of Correct" :-).
>
> https://www.youtube.com/watch?v=hou0lU8WMgo
That's what I'm saying :-)
>
> Having said that there are a bunch of issues with
> this change that we need to fix.
>
> 1). nttime_from_string() is actually an unused function.
>
> diff --git a/source3/lib/time.c b/source3/lib/time.c
> index 30ad1ec9a01..09c5b0656f6 100644
> --- a/source3/lib/time.c
> +++ b/source3/lib/time.c
> @@ -42,6 +42,7 @@
> */
> NTTIME nttime_from_string(const char *s)
> {
> + errno = 0;
> return strtoull(s, NULL, 0);
> }
>
> Rather than fix, just delete it !
ok, done (in seperate patch).
>
> 2). Setting errno=0 inside VFS code is fraught with
> danger. Your changes indirectly do this by changing
> conv_str_size() to set errno to zero as a side effect
> which is called by some of the VFS functions.
>
> Some of the VFS returns depend on errno coming out
> correctly from a call (yes I know, they're bad interfaces but
> they are what they are). Normally this is done by
> ensuring that the errno-setting function is the
> last one called before exit from the VFS, but any
> change that explicitly sets errno can cause subtle
> hard to track bugs.
Hmm, ok, but this is done already by calling the strtoul()
..is that taken into account ?
>
> So what I'd prefer is for you to create wrapper
> functions that preserve an existing errno:
I was thinking of a wrapper already but for different purpose (sign)
and planned that one as a second step. That was maybe not too smart.
>
> strtoul_err()
>
> and:
>
> strtoull_err()
>
> Here is a sample implementation (not compiled or tested I'm
> afraid :-):
>
> unsigned long int strtoul_err(const char *nptr, char **endptr, int
> base, int *perr)
> {
> unsigned long int val;
> int saved_errno = errno;
>
> *perr = 0;
> errno = 0;
> val = strtoul(nptr, endptr, base);
> if (errno != 0) {
> *perr = errno;
> }
> errno = saved_errno;
> return val;
> }
>
As briefly stated above I think the "issue" of a signed number in the
string needs some handling. In addition, I think your suggested
saved_errno handling is preventing the usage of the *real* errno as
parameter if that feature isn't wanted/required.
Anyhow, so I would suggest the following as a wrapper... taking your
one as the template.
unsigned long long strtoull_safe(const char *nptr, char **endptr, int base, int *err)
{
unsigned long long val;
int saved_errno = errno;
errno = 0;
val = strtoull(nptr, endptr, base);
if (errno != 0) {
if (err != NULL) {
*err = errno;
errno = saved_errno;
}
return 0;
}
if (index(nptr, '-') != NULL) {
/* EADV (Advertise Error) to flag the conversion
* of a string representing a negative number.
*/
errno = EADV;
if (err != NULL) {
*err = errno;
errno = saved_errno;
}
}
return val;
}
This version has the nice "side-effect / feature" that whoever doesn't need
the saved_errno capability doesn't have to use it and ends up
with the standard behaviour. We could add a check if errno is still given
as the addtl. last parameter...resulting in rubbish, just to be bullett-proof.
In adition, the conversion of a "negative" string would be flagged and
the caller can then decide if that is wanted or not.
Even that could be slightly extended to verify whether the "-" appeared as part
of the number of somewhere in the remaining string.
Not sure if those extra checks would be really required/wanted.
> Put them in lib/uil/util.c
>
> Then it should be easy to just call these instead of the horrid
> strtoul() and strtoull() functions and know that they're safe
> to use anywhere. Will mean less code changes, and just the
> additional &err parameter being checked.
You're absolutely right !
>
> Does that sound like a plan ?
It does !
So what do you think of the above version of the new string conversion
function ?
If that's ok with you, I'll create a patch getting it into the code.
Thanks for your support in advance.
Cheers Swen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190111/b398c58f/signature.sig>
More information about the samba-technical
mailing list