diff mbox series

net/af_xdp: use snprintf instead of strncpy

Message ID 20201007090137.5121-1-ciara.loftus@intel.com (mailing list archive)
State Superseded, archived
Delegated to: Ferruh Yigit
Headers show
Series net/af_xdp: use snprintf instead of strncpy | expand

Checks

Context Check Description
ci/iol-mellanox-Performance success Performance Testing PASS
ci/travis-robot success Travis build: passed
ci/iol-intel-Performance success Performance Testing PASS
ci/iol-testing success Testing PASS
ci/Intel-compilation success Compilation OK
ci/checkpatch success coding style OK

Commit Message

Ciara Loftus Oct. 7, 2020, 9:01 a.m. UTC
strncpy may leave the destination buffer not NULL terminated so use
snprintf instead.

Coverity issue: 362975
Fixes: 339b88c6a91f ("net/af_xdp: support multi-queue")
Signed-off-by: Ciara Loftus <ciara.loftus@intel.com>
---
 drivers/net/af_xdp/rte_eth_af_xdp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Ferruh Yigit Oct. 7, 2020, 9:40 a.m. UTC | #1
On 10/7/2020 10:01 AM, Ciara Loftus wrote:
> strncpy may leave the destination buffer not NULL terminated so use
> snprintf instead.

What do you think using 'strlcpy'?

> 
> Coverity issue: 362975
> Fixes: 339b88c6a91f ("net/af_xdp: support multi-queue")
> Signed-off-by: Ciara Loftus <ciara.loftus@intel.com>
> ---
>   drivers/net/af_xdp/rte_eth_af_xdp.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/af_xdp/rte_eth_af_xdp.c b/drivers/net/af_xdp/rte_eth_af_xdp.c
> index eaf2c9c873..52495cb8fb 100644
> --- a/drivers/net/af_xdp/rte_eth_af_xdp.c
> +++ b/drivers/net/af_xdp/rte_eth_af_xdp.c
> @@ -1362,7 +1362,7 @@ xdp_get_channels_info(const char *if_name, int *max_queues,
>   
>   	channels.cmd = ETHTOOL_GCHANNELS;
>   	ifr.ifr_data = (void *)&channels;
> -	strncpy(ifr.ifr_name, if_name, IFNAMSIZ);
> +	snprintf(ifr.ifr_name, IFNAMSIZ, "%s", if_name);
>   	ret = ioctl(fd, SIOCETHTOOL, &ifr);
>   	if (ret) {
>   		if (errno == EOPNOTSUPP) {
>
Olivier Matz Oct. 7, 2020, 9:51 a.m. UTC | #2
On Wed, Oct 07, 2020 at 10:40:32AM +0100, Ferruh Yigit wrote:
> On 10/7/2020 10:01 AM, Ciara Loftus wrote:
> > strncpy may leave the destination buffer not NULL terminated so use
> > snprintf instead.
> 
> What do you think using 'strlcpy'?

Or even better, rte_strscpy()
https://git.dpdk.org/dpdk/commit/?id=b0236c7cf761

> 
> > 
> > Coverity issue: 362975
> > Fixes: 339b88c6a91f ("net/af_xdp: support multi-queue")
> > Signed-off-by: Ciara Loftus <ciara.loftus@intel.com>
> > ---
> >   drivers/net/af_xdp/rte_eth_af_xdp.c | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/drivers/net/af_xdp/rte_eth_af_xdp.c b/drivers/net/af_xdp/rte_eth_af_xdp.c
> > index eaf2c9c873..52495cb8fb 100644
> > --- a/drivers/net/af_xdp/rte_eth_af_xdp.c
> > +++ b/drivers/net/af_xdp/rte_eth_af_xdp.c
> > @@ -1362,7 +1362,7 @@ xdp_get_channels_info(const char *if_name, int *max_queues,
> >   	channels.cmd = ETHTOOL_GCHANNELS;
> >   	ifr.ifr_data = (void *)&channels;
> > -	strncpy(ifr.ifr_name, if_name, IFNAMSIZ);
> > +	snprintf(ifr.ifr_name, IFNAMSIZ, "%s", if_name);
> >   	ret = ioctl(fd, SIOCETHTOOL, &ifr);
> >   	if (ret) {
> >   		if (errno == EOPNOTSUPP) {
> > 
>
Bruce Richardson Oct. 7, 2020, 10:26 a.m. UTC | #3
On Wed, Oct 07, 2020 at 11:51:31AM +0200, Olivier Matz wrote:
> On Wed, Oct 07, 2020 at 10:40:32AM +0100, Ferruh Yigit wrote:
> > On 10/7/2020 10:01 AM, Ciara Loftus wrote:
> > > strncpy may leave the destination buffer not NULL terminated so use
> > > snprintf instead.
> > 
> > What do you think using 'strlcpy'?
> 
> Or even better, rte_strscpy()
> https://git.dpdk.org/dpdk/commit/?id=b0236c7cf761
> 
I think this is largely a matter of preference, and unless there is a good
reason not to, I tend towards strlcpy as the older and more common (till
now) interface. The main thing is just to use a function that will
guarantee dest is null-terminated here, and both strlcpy and strscpy meet
that criteria.

/Bruce
Bruce Richardson Oct. 7, 2020, 10:28 a.m. UTC | #4
On Wed, Oct 07, 2020 at 11:26:38AM +0100, Bruce Richardson wrote:
> On Wed, Oct 07, 2020 at 11:51:31AM +0200, Olivier Matz wrote:
> > On Wed, Oct 07, 2020 at 10:40:32AM +0100, Ferruh Yigit wrote:
> > > On 10/7/2020 10:01 AM, Ciara Loftus wrote:
> > > > strncpy may leave the destination buffer not NULL terminated so use
> > > > snprintf instead.
> > > 
> > > What do you think using 'strlcpy'?
> > 
> > Or even better, rte_strscpy()
> > https://git.dpdk.org/dpdk/commit/?id=b0236c7cf761
> > 
> I think this is largely a matter of preference, and unless there is a good
> reason not to, I tend towards strlcpy as the older and more common (till
> now) interface. The main thing is just to use a function that will
> guarantee dest is null-terminated here, and both strlcpy and strscpy meet
> that criteria.
> 
I'd also add that strlcpy is more likely to be recognised by tools like
coverity, compared to rte_strscpy which is DPDK-specific.

/Bruce
Ferruh Yigit Oct. 7, 2020, 11:45 a.m. UTC | #5
On 10/7/2020 11:28 AM, Bruce Richardson wrote:
> On Wed, Oct 07, 2020 at 11:26:38AM +0100, Bruce Richardson wrote:
>> On Wed, Oct 07, 2020 at 11:51:31AM +0200, Olivier Matz wrote:
>>> On Wed, Oct 07, 2020 at 10:40:32AM +0100, Ferruh Yigit wrote:
>>>> On 10/7/2020 10:01 AM, Ciara Loftus wrote:
>>>>> strncpy may leave the destination buffer not NULL terminated so use
>>>>> snprintf instead.
>>>>
>>>> What do you think using 'strlcpy'?
>>>
>>> Or even better, rte_strscpy()
>>> https://git.dpdk.org/dpdk/commit/?id=b0236c7cf761
>>>
>> I think this is largely a matter of preference, and unless there is a good
>> reason not to, I tend towards strlcpy as the older and more common (till
>> now) interface. The main thing is just to use a function that will
>> guarantee dest is null-terminated here, and both strlcpy and strscpy meet
>> that criteria.
>>
> I'd also add that strlcpy is more likely to be recognised by tools like
> coverity, compared to rte_strscpy which is DPDK-specific.
> 

+1 to 'strlcpy'
Gaëtan Rivet Oct. 9, 2020, 10:36 a.m. UTC | #6
On 07/10/20 12:45 +0100, Ferruh Yigit wrote:
> On 10/7/2020 11:28 AM, Bruce Richardson wrote:
> > On Wed, Oct 07, 2020 at 11:26:38AM +0100, Bruce Richardson wrote:
> > > On Wed, Oct 07, 2020 at 11:51:31AM +0200, Olivier Matz wrote:
> > > > On Wed, Oct 07, 2020 at 10:40:32AM +0100, Ferruh Yigit wrote:
> > > > > On 10/7/2020 10:01 AM, Ciara Loftus wrote:
> > > > > > strncpy may leave the destination buffer not NULL terminated so use
> > > > > > snprintf instead.
> > > > > 
> > > > > What do you think using 'strlcpy'?
> > > > 
> > > > Or even better, rte_strscpy()
> > > > https://git.dpdk.org/dpdk/commit/?id=b0236c7cf761
> > > > 
> > > I think this is largely a matter of preference, and unless there is a good
> > > reason not to, I tend towards strlcpy as the older and more common (till
> > > now) interface. The main thing is just to use a function that will
> > > guarantee dest is null-terminated here, and both strlcpy and strscpy meet
> > > that criteria.
> > > 
> > I'd also add that strlcpy is more likely to be recognised by tools like
> > coverity, compared to rte_strscpy which is DPDK-specific.
> > 
> 
> +1 to 'strlcpy'

Using strlcpy will be more recognized by static analyzer indeed.

But strscpy API is better:

* It helps checking string truncation by making it easier:

  if (strlcpy(dst, src, dstsize) >= dstsize)
        /* Dev + reviewer needs to think about using >= and not >, dstsize is
         * repeated so either dst is an array or it needs a dedicated variable.
         * Deal with truncation.
         */

  if (rte_strscpy(dst, src, dstsize) < 0)
        /* deal with truncation. */

* It is safer when dealing with unknown data source. strlcpy will always
  read all of src, because the API (uselessly) defines the return value
  to strlen(src).

Having yet another string copy function is contentious, but we can avoid
using worse API to please tools.

And detecting string truncation *is* helpful. String are used as IDs in
DPDK for some objects. Using strlcpy / snprintf at least protects from
buffer overflow, which is a bare minimum. A good implementation would
also warn the user about a config error / memory corruption happening
sooner.

In any case, sure to fix a sanity check strlcpy / snprintf will work.

Cheers,
Bruce Richardson Oct. 9, 2020, 10:49 a.m. UTC | #7
On Fri, Oct 09, 2020 at 12:36:30PM +0200, Gaëtan Rivet wrote:
> On 07/10/20 12:45 +0100, Ferruh Yigit wrote:
> > On 10/7/2020 11:28 AM, Bruce Richardson wrote:
> > > On Wed, Oct 07, 2020 at 11:26:38AM +0100, Bruce Richardson wrote:
> > > > On Wed, Oct 07, 2020 at 11:51:31AM +0200, Olivier Matz wrote:
> > > > > On Wed, Oct 07, 2020 at 10:40:32AM +0100, Ferruh Yigit wrote:
> > > > > > On 10/7/2020 10:01 AM, Ciara Loftus wrote:
> > > > > > > strncpy may leave the destination buffer not NULL terminated so use
> > > > > > > snprintf instead.
> > > > > > 
> > > > > > What do you think using 'strlcpy'?
> > > > > 
> > > > > Or even better, rte_strscpy()
> > > > > https://git.dpdk.org/dpdk/commit/?id=b0236c7cf761
> > > > > 
> > > > I think this is largely a matter of preference, and unless there is a good
> > > > reason not to, I tend towards strlcpy as the older and more common (till
> > > > now) interface. The main thing is just to use a function that will
> > > > guarantee dest is null-terminated here, and both strlcpy and strscpy meet
> > > > that criteria.
> > > > 
> > > I'd also add that strlcpy is more likely to be recognised by tools like
> > > coverity, compared to rte_strscpy which is DPDK-specific.
> > > 
> > 
> > +1 to 'strlcpy'
> 
> Using strlcpy will be more recognized by static analyzer indeed.
> 
> But strscpy API is better:
> 
> * It helps checking string truncation by making it easier:
> 
>   if (strlcpy(dst, src, dstsize) >= dstsize)
>         /* Dev + reviewer needs to think about using >= and not >, dstsize is
>          * repeated so either dst is an array or it needs a dedicated variable.
>          * Deal with truncation.
>          */
> 
>   if (rte_strscpy(dst, src, dstsize) < 0)
>         /* deal with truncation. */
> 
> * It is safer when dealing with unknown data source. strlcpy will always
>   read all of src, because the API (uselessly) defines the return value
>   to strlen(src).
> 
> Having yet another string copy function is contentious, but we can avoid
> using worse API to please tools.
> 
> And detecting string truncation *is* helpful. String are used as IDs in
> DPDK for some objects. Using strlcpy / snprintf at least protects from
> buffer overflow, which is a bare minimum. A good implementation would
> also warn the user about a config error / memory corruption happening
> sooner.
> 
> In any case, sure to fix a sanity check strlcpy / snprintf will work.
> 

Yes.

My main issue with strscpy right now is that it's got to be a DPDK-specific
function, since AFAIK it's defined in no standard C library, just in the
Linux kernel. If we get strscpy added to e.g. glibc, then we can see about
starting to use it - letting meson do the work of detect if it's present
and allowing us to define a fallback only in case it's not (i.e. as is done
with strlcpy).
Ferruh Yigit Oct. 9, 2020, 10:59 a.m. UTC | #8
On 10/9/2020 11:36 AM, Gaëtan Rivet wrote:
> On 07/10/20 12:45 +0100, Ferruh Yigit wrote:
>> On 10/7/2020 11:28 AM, Bruce Richardson wrote:
>>> On Wed, Oct 07, 2020 at 11:26:38AM +0100, Bruce Richardson wrote:
>>>> On Wed, Oct 07, 2020 at 11:51:31AM +0200, Olivier Matz wrote:
>>>>> On Wed, Oct 07, 2020 at 10:40:32AM +0100, Ferruh Yigit wrote:
>>>>>> On 10/7/2020 10:01 AM, Ciara Loftus wrote:
>>>>>>> strncpy may leave the destination buffer not NULL terminated so use
>>>>>>> snprintf instead.
>>>>>>
>>>>>> What do you think using 'strlcpy'?
>>>>>
>>>>> Or even better, rte_strscpy()
>>>>> https://git.dpdk.org/dpdk/commit/?id=b0236c7cf761
>>>>>
>>>> I think this is largely a matter of preference, and unless there is a good
>>>> reason not to, I tend towards strlcpy as the older and more common (till
>>>> now) interface. The main thing is just to use a function that will
>>>> guarantee dest is null-terminated here, and both strlcpy and strscpy meet
>>>> that criteria.
>>>>
>>> I'd also add that strlcpy is more likely to be recognised by tools like
>>> coverity, compared to rte_strscpy which is DPDK-specific.
>>>
>>
>> +1 to 'strlcpy'
> 
> Using strlcpy will be more recognized by static analyzer indeed.
> 
> But strscpy API is better:
> 
> * It helps checking string truncation by making it easier:
> 
>    if (strlcpy(dst, src, dstsize) >= dstsize)
>          /* Dev + reviewer needs to think about using >= and not >, dstsize is
>           * repeated so either dst is an array or it needs a dedicated variable.
>           * Deal with truncation.
>           */
> 
>    if (rte_strscpy(dst, src, dstsize) < 0)
>          /* deal with truncation. */
> 
> * It is safer when dealing with unknown data source. strlcpy will always
>    read all of src, because the API (uselessly) defines the return value
>    to strlen(src).
> 
> Having yet another string copy function is contentious, but we can avoid
> using worse API to please tools.
> 
> And detecting string truncation *is* helpful. String are used as IDs in
> DPDK for some objects. Using strlcpy / snprintf at least protects from
> buffer overflow, which is a bare minimum. A good implementation would
> also warn the user about a config error / memory corruption happening
> sooner.
> 
> In any case, sure to fix a sanity check strlcpy / snprintf will work.
> 

I also think 'strscpy' is better API, and we had similar discussion before [1] 
and the decision was to prefer 'strlcpy'.

[1] http://inbox.dpdk.org/dev/b800d417-c33d-af4e-b506-8f31ae919410@intel.com/#t
Gaëtan Rivet Oct. 9, 2020, 4:37 p.m. UTC | #9
On 09/10/20 11:59 +0100, Ferruh Yigit wrote:
> On 10/9/2020 11:36 AM, Gaëtan Rivet wrote:
> > On 07/10/20 12:45 +0100, Ferruh Yigit wrote:
> > > On 10/7/2020 11:28 AM, Bruce Richardson wrote:
> > > > On Wed, Oct 07, 2020 at 11:26:38AM +0100, Bruce Richardson wrote:
> > > > > On Wed, Oct 07, 2020 at 11:51:31AM +0200, Olivier Matz wrote:
> > > > > > On Wed, Oct 07, 2020 at 10:40:32AM +0100, Ferruh Yigit wrote:
> > > > > > > On 10/7/2020 10:01 AM, Ciara Loftus wrote:
> > > > > > > > strncpy may leave the destination buffer not NULL terminated so use
> > > > > > > > snprintf instead.
> > > > > > > 
> > > > > > > What do you think using 'strlcpy'?
> > > > > > 
> > > > > > Or even better, rte_strscpy()
> > > > > > https://git.dpdk.org/dpdk/commit/?id=b0236c7cf761
> > > > > > 
> > > > > I think this is largely a matter of preference, and unless there is a good
> > > > > reason not to, I tend towards strlcpy as the older and more common (till
> > > > > now) interface. The main thing is just to use a function that will
> > > > > guarantee dest is null-terminated here, and both strlcpy and strscpy meet
> > > > > that criteria.
> > > > > 
> > > > I'd also add that strlcpy is more likely to be recognised by tools like
> > > > coverity, compared to rte_strscpy which is DPDK-specific.
> > > > 
> > > 
> > > +1 to 'strlcpy'
> > 
> > Using strlcpy will be more recognized by static analyzer indeed.
> > 
> > But strscpy API is better:
> > 
> > * It helps checking string truncation by making it easier:
> > 
> >    if (strlcpy(dst, src, dstsize) >= dstsize)
> >          /* Dev + reviewer needs to think about using >= and not >, dstsize is
> >           * repeated so either dst is an array or it needs a dedicated variable.
> >           * Deal with truncation.
> >           */
> > 
> >    if (rte_strscpy(dst, src, dstsize) < 0)
> >          /* deal with truncation. */
> > 
> > * It is safer when dealing with unknown data source. strlcpy will always
> >    read all of src, because the API (uselessly) defines the return value
> >    to strlen(src).
> > 
> > Having yet another string copy function is contentious, but we can avoid
> > using worse API to please tools.
> > 
> > And detecting string truncation *is* helpful. String are used as IDs in
> > DPDK for some objects. Using strlcpy / snprintf at least protects from
> > buffer overflow, which is a bare minimum. A good implementation would
> > also warn the user about a config error / memory corruption happening
> > sooner.
> > 
> > In any case, sure to fix a sanity check strlcpy / snprintf will work.
> > 
> 
> I also think 'strscpy' is better API, and we had similar discussion before
> [1] and the decision was to prefer 'strlcpy'.
> 
> [1] http://inbox.dpdk.org/dev/b800d417-c33d-af4e-b506-8f31ae919410@intel.com/#t

Good memory! I hadn't seen this thread, thanks.
diff mbox series

Patch

diff --git a/drivers/net/af_xdp/rte_eth_af_xdp.c b/drivers/net/af_xdp/rte_eth_af_xdp.c
index eaf2c9c873..52495cb8fb 100644
--- a/drivers/net/af_xdp/rte_eth_af_xdp.c
+++ b/drivers/net/af_xdp/rte_eth_af_xdp.c
@@ -1362,7 +1362,7 @@  xdp_get_channels_info(const char *if_name, int *max_queues,
 
 	channels.cmd = ETHTOOL_GCHANNELS;
 	ifr.ifr_data = (void *)&channels;
-	strncpy(ifr.ifr_name, if_name, IFNAMSIZ);
+	snprintf(ifr.ifr_name, IFNAMSIZ, "%s", if_name);
 	ret = ioctl(fd, SIOCETHTOOL, &ifr);
 	if (ret) {
 		if (errno == EOPNOTSUPP) {