Use clamping to more easily normalize input values

The kernel has min/max/clamp macros to make range comparisons easier.
Clamp is a newer invention, but we can define it for older kernels in
terms of min and max.

5 files changed, 25 insertions, 20 deletions

diff --git a/runtime/runtime.h b/runtime/runtime.h
index 91c48d57..c51520d0 100644
--- a/runtime/runtime.h
+++ b/runtime/runtime.h
@@ -50,6 +50,14 @@
 #define stp_for_each_cpu(cpu)  for_each_cpu_mask((cpu), cpu_possible_map)
 #endif
 
+#ifndef clamp
+#define clamp(val, low, high)     min(max(low, val), high)
+#endif
+
+#ifndef clamp_t
+#define clamp_t(type, val, low, high)   min_t(type, max_t(type, low, val), high)
+#endif
+
 static void _stp_dbug (const char *func, int line, const char *fmt, ...) __attribute__ ((format (printf, 3, 4)));
 static void _stp_error (const char *fmt, ...) __attribute__ ((format (printf, 1, 2)));
 static void _stp_warn (const char *fmt, ...) __attribute__ ((format (printf, 1, 2)));
diff --git a/runtime/string.c b/runtime/string.c
index 1d4cb255..afef191a 100644
--- a/runtime/string.c
+++ b/runtime/string.c
@@ -68,10 +68,10 @@ static void _stp_text_str(char *outstr, char *in, int len, int quoted, int user)
 {
 	char c, *out = outstr;
 
-	if (len == 0 || len > MAXSTRINGLEN-1)
+	if (len <= 0 || len > MAXSTRINGLEN-1)
 		len = MAXSTRINGLEN-1;
 	if (quoted) {
-		len -= 2;
+		len = max(len, 5) - 2;
 		*out++ = '"';
 	}
 
diff --git a/runtime/vsprintf.c b/runtime/vsprintf.c
index 5875d509..3f5f2745 100644
--- a/runtime/vsprintf.c
+++ b/runtime/vsprintf.c
@@ -269,7 +269,7 @@ static int _stp_vsnprintf(char *buf, size_t size, const char *fmt, va_list args)
                     /* get field width */
                     field_width = -1;
                     if (isdigit(*fmt_copy))
-                            field_width = skip_atoi(&fmt_copy);
+                            field_width = clamp(skip_atoi(&fmt_copy), 0, STP_BUFFER_SIZE);
                     else if (*fmt_copy == '*') {
                             ++fmt_copy;
                             /* it's the next argument */
@@ -278,6 +278,7 @@ static int _stp_vsnprintf(char *buf, size_t size, const char *fmt, va_list args)
                                     field_width = -field_width;
                                     flags |= STP_LEFT;
                             }
+                            field_width = clamp(field_width, 0, STP_BUFFER_SIZE);
                     }
 
                     /* get the precision */
@@ -291,8 +292,7 @@ static int _stp_vsnprintf(char *buf, size_t size, const char *fmt, va_list args)
                                     /* it's the next argument */
                                     precision = va_arg(args_copy, int);
                             }
-                            if (precision < 0)
-                                    precision = 0;
+                            precision = clamp(precision, 0, STP_BUFFER_SIZE);
                     }
 
                     /* get the conversion qualifier */
@@ -511,7 +511,7 @@ static int _stp_vsnprintf(char *buf, size_t size, const char *fmt, va_list args)
 		/* get field width */
 		field_width = -1;
 		if (isdigit(*fmt))
-			field_width = skip_atoi(&fmt);
+			field_width = clamp(skip_atoi(&fmt), 0, (int)size);
 		else if (*fmt == '*') {
 			++fmt;
 			/* it's the next argument */
@@ -520,6 +520,7 @@ static int _stp_vsnprintf(char *buf, size_t size, const char *fmt, va_list args)
 				field_width = -field_width;
 				flags |= STP_LEFT;
 			}
+			field_width = clamp(field_width, 0, (int)size);
 		}
 
 		/* get the precision */
@@ -533,8 +534,7 @@ static int _stp_vsnprintf(char *buf, size_t size, const char *fmt, va_list args)
 				/* it's the next argument */
 				precision = va_arg(args, int);
 			}
-			if (precision < 0)
-				precision = 0;
+			precision = clamp(precision, 0, (int)size);
 		}
 
 		/* get the conversion qualifier */
diff --git a/tapset/conversions.stp b/tapset/conversions.stp
index ec990aed..3bbbb725 100644
--- a/tapset/conversions.stp
+++ b/tapset/conversions.stp
@@ -35,8 +35,7 @@ deref_fault: /* branched to from deref_string() */
  */
 function kernel_string_n:string (addr:long, n:long) %{ /* pure */
   char *destination = THIS->__retvalue;
-  long len = THIS->n + 1;
-  len = (len > MAXSTRINGLEN) ? MAXSTRINGLEN : len;
+  int64_t len = clamp_t(int64_t, THIS->n + 1, 1, MAXSTRINGLEN);
   deref_string (destination, THIS->addr, len);
   if (0) {
 deref_fault: /* branched to from deref_string() */
@@ -210,9 +209,8 @@ function user_string_n:string (addr:long, n:long) {
  * the rare cases when userspace data is not accessible at the given address.
  */
 function user_string_n2:string (addr:long, n:long, err_msg:string) %{ /* pure */ /* unprivileged */
-	long len = THIS->n + 1;
+	int64_t len = clamp_t(int64_t, THIS->n + 1, 1, MAXSTRINGLEN);
         assert_is_myproc();
-	len = (len > MAXSTRINGLEN) ? MAXSTRINGLEN : len;
 	if (_stp_strncpy_from_user(THIS->__retvalue,
 				(char __user *) (uintptr_t) THIS->addr,
 				len) < 0)
@@ -232,11 +230,10 @@ function user_string_n2:string (addr:long, n:long, err_msg:string) %{ /* pure */
  * about the failure.
  */
 function user_string_n_warn:string (addr:long, n:long) %{ /* pure */ /* unprivileged */
-	long len = THIS->n + 1;
+	int64_t len = clamp_t(int64_t, THIS->n + 1, 1, MAXSTRINGLEN);
 	long rc;
 
         assert_is_myproc();
-	len = (len > MAXSTRINGLEN) ? MAXSTRINGLEN : len;
 	rc = _stp_strncpy_from_user(THIS->__retvalue,
 			(char __user *) (uintptr_t) THIS->addr, len);
 	if (rc < 0) {
@@ -264,9 +261,8 @@ function user_string_n_warn:string (addr:long, n:long) %{ /* pure */ /* unprivil
  * address.
  */
 function user_string_n_quoted:string (addr:long, n:long) %{ /* pure */ /* unprivileged */
-        long len;
+        int64_t len = clamp_t(int64_t, THIS->n + 1, 1, MAXSTRINGLEN);
         assert_is_myproc();
-	len = THIS->n + 1;
 	if (THIS->addr == 0)
 		strlcpy(THIS->__retvalue, "NULL", MAXSTRINGLEN);
 	else
diff --git a/tapset/string.stp b/tapset/string.stp
index 59ba74ee..d03e5570 100644
--- a/tapset/string.stp
+++ b/tapset/string.stp
@@ -27,8 +27,8 @@ function strlen:long(s:string) %{ /* pure */ /* unprivileged */
  * starting at the given start position.
  */
 function substr:string(str:string,start:long, length:long) %{ /* pure */ /* unprivileged */
-	int length = THIS->length >= MAXSTRINGLEN ? MAXSTRINGLEN : THIS->length + 1;
-	if (THIS->start >= 0 && length > 0 && THIS->start < strlen(THIS->str))
+	int64_t length = clamp_t(int64_t, THIS->length + 1, 0, MAXSTRINGLEN);
+	if (THIS->start >= 0 && THIS->start < strlen(THIS->str))
 		strlcpy(THIS->__retvalue, THIS->str + THIS->start, length);
 %}
 
@@ -87,7 +87,8 @@ function text_str:string(input:string)
  */
 function text_strn:string(input:string, len:long, quoted:long)
 %{ /* pure */ /* unprivileged */
-	_stp_text_str(THIS->__retvalue, THIS->input, THIS->len, THIS->quoted, 0);
+	int64_t len = clamp_t(int64_t, THIS->len, 0, MAXSTRINGLEN);
+	_stp_text_str(THIS->__retvalue, THIS->input, len, THIS->quoted, 0);
 %}
 
 /**
@@ -162,4 +163,4 @@ function str_replace:string (prnt_str:string, srch_str:string, rplc_str:string)
 function strtol:long(str:string, base:long)
 %{ /* pure */ /* unprivileged */
 	THIS->__retvalue = simple_strtol(THIS->str, NULL, THIS->base);
-%}
\ No newline at end of file
+%}