diff options
-rw-r--r-- | runtime/runtime.h | 8 | ||||
-rw-r--r-- | runtime/string.c | 4 | ||||
-rw-r--r-- | runtime/vsprintf.c | 12 | ||||
-rw-r--r-- | tapset/conversions.stp | 12 | ||||
-rw-r--r-- | tapset/string.stp | 9 |
5 files changed, 25 insertions, 20 deletions
diff --git a/runtime/runtime.h b/runtime/runtime.h index 91c48d57..c51520d0 100644 --- a/runtime/runtime.h +++ b/runtime/runtime.h @@ -50,6 +50,14 @@ #define stp_for_each_cpu(cpu) for_each_cpu_mask((cpu), cpu_possible_map) #endif +#ifndef clamp +#define clamp(val, low, high) min(max(low, val), high) +#endif + +#ifndef clamp_t +#define clamp_t(type, val, low, high) min_t(type, max_t(type, low, val), high) +#endif + static void _stp_dbug (const char *func, int line, const char *fmt, ...) __attribute__ ((format (printf, 3, 4))); static void _stp_error (const char *fmt, ...) __attribute__ ((format (printf, 1, 2))); static void _stp_warn (const char *fmt, ...) __attribute__ ((format (printf, 1, 2))); diff --git a/runtime/string.c b/runtime/string.c index 1d4cb255..afef191a 100644 --- a/runtime/string.c +++ b/runtime/string.c @@ -68,10 +68,10 @@ static void _stp_text_str(char *outstr, char *in, int len, int quoted, int user) { char c, *out = outstr; - if (len == 0 || len > MAXSTRINGLEN-1) + if (len <= 0 || len > MAXSTRINGLEN-1) len = MAXSTRINGLEN-1; if (quoted) { - len -= 2; + len = max(len, 5) - 2; *out++ = '"'; } diff --git a/runtime/vsprintf.c b/runtime/vsprintf.c index 5875d509..3f5f2745 100644 --- a/runtime/vsprintf.c +++ b/runtime/vsprintf.c @@ -269,7 +269,7 @@ static int _stp_vsnprintf(char *buf, size_t size, const char *fmt, va_list args) /* get field width */ field_width = -1; if (isdigit(*fmt_copy)) - field_width = skip_atoi(&fmt_copy); + field_width = clamp(skip_atoi(&fmt_copy), 0, STP_BUFFER_SIZE); else if (*fmt_copy == '*') { ++fmt_copy; /* it's the next argument */ @@ -278,6 +278,7 @@ static int _stp_vsnprintf(char *buf, size_t size, const char *fmt, va_list args) field_width = -field_width; flags |= STP_LEFT; } + field_width = clamp(field_width, 0, STP_BUFFER_SIZE); } /* get the precision */ @@ -291,8 +292,7 @@ static int _stp_vsnprintf(char *buf, size_t size, const char *fmt, va_list args) /* it's the next argument */ precision = va_arg(args_copy, int); } - if (precision < 0) - precision = 0; + precision = clamp(precision, 0, STP_BUFFER_SIZE); } /* get the conversion qualifier */ @@ -511,7 +511,7 @@ static int _stp_vsnprintf(char *buf, size_t size, const char *fmt, va_list args) /* get field width */ field_width = -1; if (isdigit(*fmt)) - field_width = skip_atoi(&fmt); + field_width = clamp(skip_atoi(&fmt), 0, (int)size); else if (*fmt == '*') { ++fmt; /* it's the next argument */ @@ -520,6 +520,7 @@ static int _stp_vsnprintf(char *buf, size_t size, const char *fmt, va_list args) field_width = -field_width; flags |= STP_LEFT; } + field_width = clamp(field_width, 0, (int)size); } /* get the precision */ @@ -533,8 +534,7 @@ static int _stp_vsnprintf(char *buf, size_t size, const char *fmt, va_list args) /* it's the next argument */ precision = va_arg(args, int); } - if (precision < 0) - precision = 0; + precision = clamp(precision, 0, (int)size); } /* get the conversion qualifier */ diff --git a/tapset/conversions.stp b/tapset/conversions.stp index ec990aed..3bbbb725 100644 --- a/tapset/conversions.stp +++ b/tapset/conversions.stp @@ -35,8 +35,7 @@ deref_fault: /* branched to from deref_string() */ */ function kernel_string_n:string (addr:long, n:long) %{ /* pure */ char *destination = THIS->__retvalue; - long len = THIS->n + 1; - len = (len > MAXSTRINGLEN) ? MAXSTRINGLEN : len; + int64_t len = clamp_t(int64_t, THIS->n + 1, 1, MAXSTRINGLEN); deref_string (destination, THIS->addr, len); if (0) { deref_fault: /* branched to from deref_string() */ @@ -210,9 +209,8 @@ function user_string_n:string (addr:long, n:long) { * the rare cases when userspace data is not accessible at the given address. */ function user_string_n2:string (addr:long, n:long, err_msg:string) %{ /* pure */ /* unprivileged */ - long len = THIS->n + 1; + int64_t len = clamp_t(int64_t, THIS->n + 1, 1, MAXSTRINGLEN); assert_is_myproc(); - len = (len > MAXSTRINGLEN) ? MAXSTRINGLEN : len; if (_stp_strncpy_from_user(THIS->__retvalue, (char __user *) (uintptr_t) THIS->addr, len) < 0) @@ -232,11 +230,10 @@ function user_string_n2:string (addr:long, n:long, err_msg:string) %{ /* pure */ * about the failure. */ function user_string_n_warn:string (addr:long, n:long) %{ /* pure */ /* unprivileged */ - long len = THIS->n + 1; + int64_t len = clamp_t(int64_t, THIS->n + 1, 1, MAXSTRINGLEN); long rc; assert_is_myproc(); - len = (len > MAXSTRINGLEN) ? MAXSTRINGLEN : len; rc = _stp_strncpy_from_user(THIS->__retvalue, (char __user *) (uintptr_t) THIS->addr, len); if (rc < 0) { @@ -264,9 +261,8 @@ function user_string_n_warn:string (addr:long, n:long) %{ /* pure */ /* unprivil * address. */ function user_string_n_quoted:string (addr:long, n:long) %{ /* pure */ /* unprivileged */ - long len; + int64_t len = clamp_t(int64_t, THIS->n + 1, 1, MAXSTRINGLEN); assert_is_myproc(); - len = THIS->n + 1; if (THIS->addr == 0) strlcpy(THIS->__retvalue, "NULL", MAXSTRINGLEN); else diff --git a/tapset/string.stp b/tapset/string.stp index 59ba74ee..d03e5570 100644 --- a/tapset/string.stp +++ b/tapset/string.stp @@ -27,8 +27,8 @@ function strlen:long(s:string) %{ /* pure */ /* unprivileged */ * starting at the given start position. */ function substr:string(str:string,start:long, length:long) %{ /* pure */ /* unprivileged */ - int length = THIS->length >= MAXSTRINGLEN ? MAXSTRINGLEN : THIS->length + 1; - if (THIS->start >= 0 && length > 0 && THIS->start < strlen(THIS->str)) + int64_t length = clamp_t(int64_t, THIS->length + 1, 0, MAXSTRINGLEN); + if (THIS->start >= 0 && THIS->start < strlen(THIS->str)) strlcpy(THIS->__retvalue, THIS->str + THIS->start, length); %} @@ -87,7 +87,8 @@ function text_str:string(input:string) */ function text_strn:string(input:string, len:long, quoted:long) %{ /* pure */ /* unprivileged */ - _stp_text_str(THIS->__retvalue, THIS->input, THIS->len, THIS->quoted, 0); + int64_t len = clamp_t(int64_t, THIS->len, 0, MAXSTRINGLEN); + _stp_text_str(THIS->__retvalue, THIS->input, len, THIS->quoted, 0); %} /** @@ -162,4 +163,4 @@ function str_replace:string (prnt_str:string, srch_str:string, rplc_str:string) function strtol:long(str:string, base:long) %{ /* pure */ /* unprivileged */ THIS->__retvalue = simple_strtol(THIS->str, NULL, THIS->base); -%}
\ No newline at end of file +%} |