| Message ID | 20201007090137.5121-1-ciara.loftus@intel.com (mailing list archive) |
|---|---|
| State | Superseded, archived |
| Delegated to: | Ferruh Yigit |
| Headers | show |
| Series | net/af_xdp: use snprintf instead of strncpy | expand |
| Context | Check | Description |
|---|---|---|
| ci/iol-mellanox-Performance | success | Performance Testing PASS |
| ci/travis-robot | success | Travis build: passed |
| ci/iol-intel-Performance | success | Performance Testing PASS |
| ci/iol-testing | success | Testing PASS |
| ci/Intel-compilation | success | Compilation OK |
| ci/checkpatch | success | coding style OK |
On 10/7/2020 10:01 AM, Ciara Loftus wrote: > strncpy may leave the destination buffer not NULL terminated so use > snprintf instead. What do you think using 'strlcpy'? > > Coverity issue: 362975 > Fixes: 339b88c6a91f ("net/af_xdp: support multi-queue") > Signed-off-by: Ciara Loftus <ciara.loftus@intel.com> > --- > drivers/net/af_xdp/rte_eth_af_xdp.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/af_xdp/rte_eth_af_xdp.c b/drivers/net/af_xdp/rte_eth_af_xdp.c > index eaf2c9c873..52495cb8fb 100644 > --- a/drivers/net/af_xdp/rte_eth_af_xdp.c > +++ b/drivers/net/af_xdp/rte_eth_af_xdp.c > @@ -1362,7 +1362,7 @@ xdp_get_channels_info(const char *if_name, int *max_queues, > > channels.cmd = ETHTOOL_GCHANNELS; > ifr.ifr_data = (void *)&channels; > - strncpy(ifr.ifr_name, if_name, IFNAMSIZ); > + snprintf(ifr.ifr_name, IFNAMSIZ, "%s", if_name); > ret = ioctl(fd, SIOCETHTOOL, &ifr); > if (ret) { > if (errno == EOPNOTSUPP) { >
On Wed, Oct 07, 2020 at 10:40:32AM +0100, Ferruh Yigit wrote: > On 10/7/2020 10:01 AM, Ciara Loftus wrote: > > strncpy may leave the destination buffer not NULL terminated so use > > snprintf instead. > > What do you think using 'strlcpy'? Or even better, rte_strscpy() https://git.dpdk.org/dpdk/commit/?id=b0236c7cf761 > > > > > Coverity issue: 362975 > > Fixes: 339b88c6a91f ("net/af_xdp: support multi-queue") > > Signed-off-by: Ciara Loftus <ciara.loftus@intel.com> > > --- > > drivers/net/af_xdp/rte_eth_af_xdp.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/net/af_xdp/rte_eth_af_xdp.c b/drivers/net/af_xdp/rte_eth_af_xdp.c > > index eaf2c9c873..52495cb8fb 100644 > > --- a/drivers/net/af_xdp/rte_eth_af_xdp.c > > +++ b/drivers/net/af_xdp/rte_eth_af_xdp.c > > @@ -1362,7 +1362,7 @@ xdp_get_channels_info(const char *if_name, int *max_queues, > > channels.cmd = ETHTOOL_GCHANNELS; > > ifr.ifr_data = (void *)&channels; > > - strncpy(ifr.ifr_name, if_name, IFNAMSIZ); > > + snprintf(ifr.ifr_name, IFNAMSIZ, "%s", if_name); > > ret = ioctl(fd, SIOCETHTOOL, &ifr); > > if (ret) { > > if (errno == EOPNOTSUPP) { > > >
On Wed, Oct 07, 2020 at 11:51:31AM +0200, Olivier Matz wrote: > On Wed, Oct 07, 2020 at 10:40:32AM +0100, Ferruh Yigit wrote: > > On 10/7/2020 10:01 AM, Ciara Loftus wrote: > > > strncpy may leave the destination buffer not NULL terminated so use > > > snprintf instead. > > > > What do you think using 'strlcpy'? > > Or even better, rte_strscpy() > https://git.dpdk.org/dpdk/commit/?id=b0236c7cf761 > I think this is largely a matter of preference, and unless there is a good reason not to, I tend towards strlcpy as the older and more common (till now) interface. The main thing is just to use a function that will guarantee dest is null-terminated here, and both strlcpy and strscpy meet that criteria. /Bruce
On Wed, Oct 07, 2020 at 11:26:38AM +0100, Bruce Richardson wrote: > On Wed, Oct 07, 2020 at 11:51:31AM +0200, Olivier Matz wrote: > > On Wed, Oct 07, 2020 at 10:40:32AM +0100, Ferruh Yigit wrote: > > > On 10/7/2020 10:01 AM, Ciara Loftus wrote: > > > > strncpy may leave the destination buffer not NULL terminated so use > > > > snprintf instead. > > > > > > What do you think using 'strlcpy'? > > > > Or even better, rte_strscpy() > > https://git.dpdk.org/dpdk/commit/?id=b0236c7cf761 > > > I think this is largely a matter of preference, and unless there is a good > reason not to, I tend towards strlcpy as the older and more common (till > now) interface. The main thing is just to use a function that will > guarantee dest is null-terminated here, and both strlcpy and strscpy meet > that criteria. > I'd also add that strlcpy is more likely to be recognised by tools like coverity, compared to rte_strscpy which is DPDK-specific. /Bruce
On 10/7/2020 11:28 AM, Bruce Richardson wrote: > On Wed, Oct 07, 2020 at 11:26:38AM +0100, Bruce Richardson wrote: >> On Wed, Oct 07, 2020 at 11:51:31AM +0200, Olivier Matz wrote: >>> On Wed, Oct 07, 2020 at 10:40:32AM +0100, Ferruh Yigit wrote: >>>> On 10/7/2020 10:01 AM, Ciara Loftus wrote: >>>>> strncpy may leave the destination buffer not NULL terminated so use >>>>> snprintf instead. >>>> >>>> What do you think using 'strlcpy'? >>> >>> Or even better, rte_strscpy() >>> https://git.dpdk.org/dpdk/commit/?id=b0236c7cf761 >>> >> I think this is largely a matter of preference, and unless there is a good >> reason not to, I tend towards strlcpy as the older and more common (till >> now) interface. The main thing is just to use a function that will >> guarantee dest is null-terminated here, and both strlcpy and strscpy meet >> that criteria. >> > I'd also add that strlcpy is more likely to be recognised by tools like > coverity, compared to rte_strscpy which is DPDK-specific. > +1 to 'strlcpy'
On 07/10/20 12:45 +0100, Ferruh Yigit wrote: > On 10/7/2020 11:28 AM, Bruce Richardson wrote: > > On Wed, Oct 07, 2020 at 11:26:38AM +0100, Bruce Richardson wrote: > > > On Wed, Oct 07, 2020 at 11:51:31AM +0200, Olivier Matz wrote: > > > > On Wed, Oct 07, 2020 at 10:40:32AM +0100, Ferruh Yigit wrote: > > > > > On 10/7/2020 10:01 AM, Ciara Loftus wrote: > > > > > > strncpy may leave the destination buffer not NULL terminated so use > > > > > > snprintf instead. > > > > > > > > > > What do you think using 'strlcpy'? > > > > > > > > Or even better, rte_strscpy() > > > > https://git.dpdk.org/dpdk/commit/?id=b0236c7cf761 > > > > > > > I think this is largely a matter of preference, and unless there is a good > > > reason not to, I tend towards strlcpy as the older and more common (till > > > now) interface. The main thing is just to use a function that will > > > guarantee dest is null-terminated here, and both strlcpy and strscpy meet > > > that criteria. > > > > > I'd also add that strlcpy is more likely to be recognised by tools like > > coverity, compared to rte_strscpy which is DPDK-specific. > > > > +1 to 'strlcpy' Using strlcpy will be more recognized by static analyzer indeed. But strscpy API is better: * It helps checking string truncation by making it easier: if (strlcpy(dst, src, dstsize) >= dstsize) /* Dev + reviewer needs to think about using >= and not >, dstsize is * repeated so either dst is an array or it needs a dedicated variable. * Deal with truncation. */ if (rte_strscpy(dst, src, dstsize) < 0) /* deal with truncation. */ * It is safer when dealing with unknown data source. strlcpy will always read all of src, because the API (uselessly) defines the return value to strlen(src). Having yet another string copy function is contentious, but we can avoid using worse API to please tools. And detecting string truncation *is* helpful. String are used as IDs in DPDK for some objects. Using strlcpy / snprintf at least protects from buffer overflow, which is a bare minimum. A good implementation would also warn the user about a config error / memory corruption happening sooner. In any case, sure to fix a sanity check strlcpy / snprintf will work. Cheers,
On Fri, Oct 09, 2020 at 12:36:30PM +0200, Gaëtan Rivet wrote: > On 07/10/20 12:45 +0100, Ferruh Yigit wrote: > > On 10/7/2020 11:28 AM, Bruce Richardson wrote: > > > On Wed, Oct 07, 2020 at 11:26:38AM +0100, Bruce Richardson wrote: > > > > On Wed, Oct 07, 2020 at 11:51:31AM +0200, Olivier Matz wrote: > > > > > On Wed, Oct 07, 2020 at 10:40:32AM +0100, Ferruh Yigit wrote: > > > > > > On 10/7/2020 10:01 AM, Ciara Loftus wrote: > > > > > > > strncpy may leave the destination buffer not NULL terminated so use > > > > > > > snprintf instead. > > > > > > > > > > > > What do you think using 'strlcpy'? > > > > > > > > > > Or even better, rte_strscpy() > > > > > https://git.dpdk.org/dpdk/commit/?id=b0236c7cf761 > > > > > > > > > I think this is largely a matter of preference, and unless there is a good > > > > reason not to, I tend towards strlcpy as the older and more common (till > > > > now) interface. The main thing is just to use a function that will > > > > guarantee dest is null-terminated here, and both strlcpy and strscpy meet > > > > that criteria. > > > > > > > I'd also add that strlcpy is more likely to be recognised by tools like > > > coverity, compared to rte_strscpy which is DPDK-specific. > > > > > > > +1 to 'strlcpy' > > Using strlcpy will be more recognized by static analyzer indeed. > > But strscpy API is better: > > * It helps checking string truncation by making it easier: > > if (strlcpy(dst, src, dstsize) >= dstsize) > /* Dev + reviewer needs to think about using >= and not >, dstsize is > * repeated so either dst is an array or it needs a dedicated variable. > * Deal with truncation. > */ > > if (rte_strscpy(dst, src, dstsize) < 0) > /* deal with truncation. */ > > * It is safer when dealing with unknown data source. strlcpy will always > read all of src, because the API (uselessly) defines the return value > to strlen(src). > > Having yet another string copy function is contentious, but we can avoid > using worse API to please tools. > > And detecting string truncation *is* helpful. String are used as IDs in > DPDK for some objects. Using strlcpy / snprintf at least protects from > buffer overflow, which is a bare minimum. A good implementation would > also warn the user about a config error / memory corruption happening > sooner. > > In any case, sure to fix a sanity check strlcpy / snprintf will work. > Yes. My main issue with strscpy right now is that it's got to be a DPDK-specific function, since AFAIK it's defined in no standard C library, just in the Linux kernel. If we get strscpy added to e.g. glibc, then we can see about starting to use it - letting meson do the work of detect if it's present and allowing us to define a fallback only in case it's not (i.e. as is done with strlcpy).
On 10/9/2020 11:36 AM, Gaëtan Rivet wrote: > On 07/10/20 12:45 +0100, Ferruh Yigit wrote: >> On 10/7/2020 11:28 AM, Bruce Richardson wrote: >>> On Wed, Oct 07, 2020 at 11:26:38AM +0100, Bruce Richardson wrote: >>>> On Wed, Oct 07, 2020 at 11:51:31AM +0200, Olivier Matz wrote: >>>>> On Wed, Oct 07, 2020 at 10:40:32AM +0100, Ferruh Yigit wrote: >>>>>> On 10/7/2020 10:01 AM, Ciara Loftus wrote: >>>>>>> strncpy may leave the destination buffer not NULL terminated so use >>>>>>> snprintf instead. >>>>>> >>>>>> What do you think using 'strlcpy'? >>>>> >>>>> Or even better, rte_strscpy() >>>>> https://git.dpdk.org/dpdk/commit/?id=b0236c7cf761 >>>>> >>>> I think this is largely a matter of preference, and unless there is a good >>>> reason not to, I tend towards strlcpy as the older and more common (till >>>> now) interface. The main thing is just to use a function that will >>>> guarantee dest is null-terminated here, and both strlcpy and strscpy meet >>>> that criteria. >>>> >>> I'd also add that strlcpy is more likely to be recognised by tools like >>> coverity, compared to rte_strscpy which is DPDK-specific. >>> >> >> +1 to 'strlcpy' > > Using strlcpy will be more recognized by static analyzer indeed. > > But strscpy API is better: > > * It helps checking string truncation by making it easier: > > if (strlcpy(dst, src, dstsize) >= dstsize) > /* Dev + reviewer needs to think about using >= and not >, dstsize is > * repeated so either dst is an array or it needs a dedicated variable. > * Deal with truncation. > */ > > if (rte_strscpy(dst, src, dstsize) < 0) > /* deal with truncation. */ > > * It is safer when dealing with unknown data source. strlcpy will always > read all of src, because the API (uselessly) defines the return value > to strlen(src). > > Having yet another string copy function is contentious, but we can avoid > using worse API to please tools. > > And detecting string truncation *is* helpful. String are used as IDs in > DPDK for some objects. Using strlcpy / snprintf at least protects from > buffer overflow, which is a bare minimum. A good implementation would > also warn the user about a config error / memory corruption happening > sooner. > > In any case, sure to fix a sanity check strlcpy / snprintf will work. > I also think 'strscpy' is better API, and we had similar discussion before [1] and the decision was to prefer 'strlcpy'. [1] http://inbox.dpdk.org/dev/b800d417-c33d-af4e-b506-8f31ae919410@intel.com/#t
On 09/10/20 11:59 +0100, Ferruh Yigit wrote: > On 10/9/2020 11:36 AM, Gaëtan Rivet wrote: > > On 07/10/20 12:45 +0100, Ferruh Yigit wrote: > > > On 10/7/2020 11:28 AM, Bruce Richardson wrote: > > > > On Wed, Oct 07, 2020 at 11:26:38AM +0100, Bruce Richardson wrote: > > > > > On Wed, Oct 07, 2020 at 11:51:31AM +0200, Olivier Matz wrote: > > > > > > On Wed, Oct 07, 2020 at 10:40:32AM +0100, Ferruh Yigit wrote: > > > > > > > On 10/7/2020 10:01 AM, Ciara Loftus wrote: > > > > > > > > strncpy may leave the destination buffer not NULL terminated so use > > > > > > > > snprintf instead. > > > > > > > > > > > > > > What do you think using 'strlcpy'? > > > > > > > > > > > > Or even better, rte_strscpy() > > > > > > https://git.dpdk.org/dpdk/commit/?id=b0236c7cf761 > > > > > > > > > > > I think this is largely a matter of preference, and unless there is a good > > > > > reason not to, I tend towards strlcpy as the older and more common (till > > > > > now) interface. The main thing is just to use a function that will > > > > > guarantee dest is null-terminated here, and both strlcpy and strscpy meet > > > > > that criteria. > > > > > > > > > I'd also add that strlcpy is more likely to be recognised by tools like > > > > coverity, compared to rte_strscpy which is DPDK-specific. > > > > > > > > > > +1 to 'strlcpy' > > > > Using strlcpy will be more recognized by static analyzer indeed. > > > > But strscpy API is better: > > > > * It helps checking string truncation by making it easier: > > > > if (strlcpy(dst, src, dstsize) >= dstsize) > > /* Dev + reviewer needs to think about using >= and not >, dstsize is > > * repeated so either dst is an array or it needs a dedicated variable. > > * Deal with truncation. > > */ > > > > if (rte_strscpy(dst, src, dstsize) < 0) > > /* deal with truncation. */ > > > > * It is safer when dealing with unknown data source. strlcpy will always > > read all of src, because the API (uselessly) defines the return value > > to strlen(src). > > > > Having yet another string copy function is contentious, but we can avoid > > using worse API to please tools. > > > > And detecting string truncation *is* helpful. String are used as IDs in > > DPDK for some objects. Using strlcpy / snprintf at least protects from > > buffer overflow, which is a bare minimum. A good implementation would > > also warn the user about a config error / memory corruption happening > > sooner. > > > > In any case, sure to fix a sanity check strlcpy / snprintf will work. > > > > I also think 'strscpy' is better API, and we had similar discussion before > [1] and the decision was to prefer 'strlcpy'. > > [1] http://inbox.dpdk.org/dev/b800d417-c33d-af4e-b506-8f31ae919410@intel.com/#t Good memory! I hadn't seen this thread, thanks.
diff --git a/drivers/net/af_xdp/rte_eth_af_xdp.c b/drivers/net/af_xdp/rte_eth_af_xdp.c index eaf2c9c873..52495cb8fb 100644 --- a/drivers/net/af_xdp/rte_eth_af_xdp.c +++ b/drivers/net/af_xdp/rte_eth_af_xdp.c @@ -1362,7 +1362,7 @@ xdp_get_channels_info(const char *if_name, int *max_queues, channels.cmd = ETHTOOL_GCHANNELS; ifr.ifr_data = (void *)&channels; - strncpy(ifr.ifr_name, if_name, IFNAMSIZ); + snprintf(ifr.ifr_name, IFNAMSIZ, "%s", if_name); ret = ioctl(fd, SIOCETHTOOL, &ifr); if (ret) { if (errno == EOPNOTSUPP) {
strncpy may leave the destination buffer not NULL terminated so use snprintf instead. Coverity issue: 362975 Fixes: 339b88c6a91f ("net/af_xdp: support multi-queue") Signed-off-by: Ciara Loftus <ciara.loftus@intel.com> --- drivers/net/af_xdp/rte_eth_af_xdp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)