Coverity found a bug in `zfs_secpolicy_create_clone()` where it is
possible for us to pass an unterminated string when `zfs_get_parent()`
returns an error. Upon inspection, it is clear that using `strlcpy()`
would have avoided this issue.
Looking at the codebase, there are a number of other uses of `strncpy()`
that are unsafe and even when it is used safely, switching to
`strlcpy()` would make the code more readable. Therefore, we switch all
instances where we use `strncpy()` to use `strlcpy()`.
Unfortunately, we do not portably have access to `strlcpy()` in
tests/zfs-tests/cmd/zfs_diff-socket.c because it does not link to
libspl. Modifying the appropriate Makefile.am to try to link to it
resulted in an error from the naming choice used in the file. Trying to
disable the check on the file did not work on FreeBSD because Clang
ignores `#undef` when a definition is provided by `-Dstrncpy(...)=...`.
We workaround that by explictly including the C file from libspl into
the test. This makes things build correctly everywhere.
We add a deprecation warning to `config/Rules.am` and suppress it on the
remaining `strncpy()` usage. `strlcpy()` is not portably avaliable in
tests/zfs-tests/cmd/zfs_diff-socket.c, so we use `snprintf()` there as a
substitute.
This patch does not tackle the related problem of `strcpy()`, which is
even less safe. Thankfully, a quick inspection found that it is used far
more correctly than strncpy() was used. A quick inspection did not find
any problems with `strcpy()` usage outside of zhack, but it should be
said that I only checked around 90% of them.
Lastly, some of the fields in kstat_t varied in size by 1 depending on
whether they were in userspace or in the kernel. The origin of this
discrepancy appears to be
04a479f7066ccdaa23a6546955303b172f4a6909 where
it was made for no apparent reason. It conflicts with the comment on
KSTAT_STRLEN, so we shrink the kernel field sizes to match the userspace
field sizes.
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Ryan Moeller <ryan@iXsystems.com>
Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Closes #13876
++errors;
continue;
}
- (void) strncpy(parent, path, delim - path);
- parent[delim - path] = '\0';
+ (void) strlcpy(parent, path, MIN(sizeof (parent),
+ delim - path + 1));
zhp = zfs_open(g_zfs, parent,
ZFS_TYPE_FILESYSTEM | ZFS_TYPE_VOLUME);
goto invalid;
int dirlen = strrchr(val, '/') - val;
- strncpy(zo->zo_alt_libpath, val, dirlen);
+ strlcpy(zo->zo_alt_libpath, val,
+ MIN(sizeof (zo->zo_alt_libpath), dirlen + 1));
invalid_what = "library path", val = zo->zo_alt_libpath;
if (strrchr(val, '/') == NULL && (errno = EINVAL))
goto invalid;
AM_CPPFLAGS_NOCHECK += -D"asctime_r(...)=__attribute__((deprecated(\"Use strftime(3) instead!\"))) asctime_r(__VA_ARGS__)"
AM_CPPFLAGS_NOCHECK += -D"gmtime(...)=__attribute__((deprecated(\"gmtime(3) isn't thread-safe. Use gmtime_r(3) instead!\"))) gmtime(__VA_ARGS__)"
AM_CPPFLAGS_NOCHECK += -D"localtime(...)=__attribute__((deprecated(\"localtime(3) isn't thread-safe. Use localtime_r(3) instead!\"))) localtime(__VA_ARGS__)"
+AM_CPPFLAGS_NOCHECK += -D"strncpy(...)=__attribute__((deprecated(\"strncpy(3) is deprecated. Use strlcpy(3) instead!\"))) strncpy(__VA_ARGS__)"
+
AM_CPPFLAGS += $(AM_CPPFLAGS_NOCHECK)
if ASAN_ENABLED
typedef struct kstat_module {
- char ksm_name[KSTAT_STRLEN+1]; /* module name */
+ char ksm_name[KSTAT_STRLEN]; /* module name */
struct list_head ksm_module_list; /* module linkage */
struct list_head ksm_kstat_list; /* list of kstat entries */
struct proc_dir_entry *ksm_proc; /* proc entry */
kid_t ks_kid; /* unique kstat ID */
hrtime_t ks_crtime; /* creation time */
hrtime_t ks_snaptime; /* last access time */
- char ks_module[KSTAT_STRLEN+1]; /* provider module name */
+ char ks_module[KSTAT_STRLEN]; /* provider module name */
int ks_instance; /* provider module instance */
- char ks_name[KSTAT_STRLEN+1]; /* kstat name */
- char ks_class[KSTAT_STRLEN+1]; /* kstat class */
+ char ks_name[KSTAT_STRLEN]; /* kstat name */
+ char ks_class[KSTAT_STRLEN]; /* kstat class */
uchar_t ks_type; /* kstat data type */
uchar_t ks_flags; /* kstat flags */
void *ks_data; /* kstat type-specific data */
} kstat_io_t;
typedef struct kstat_timer {
- char name[KSTAT_STRLEN+1]; /* event name */
+ char name[KSTAT_STRLEN]; /* event name */
u_longlong_t num_events; /* number of events */
hrtime_t elapsed_time; /* cumulative elapsed time */
hrtime_t min_time; /* shortest event duration */
typedef int kstat_update_t(struct kstat_s *, int); /* dynamic update cb */
typedef struct kstat_module {
- char ksm_name[KSTAT_STRLEN+1]; /* module name */
+ char ksm_name[KSTAT_STRLEN]; /* module name */
struct list_head ksm_module_list; /* module linkage */
struct list_head ksm_kstat_list; /* list of kstat entries */
struct proc_dir_entry *ksm_proc; /* proc entry */
} kstat_raw_ops_t;
typedef struct kstat_proc_entry {
- char kpe_name[KSTAT_STRLEN+1]; /* kstat name */
- char kpe_module[KSTAT_STRLEN+1]; /* provider module name */
+ char kpe_name[KSTAT_STRLEN]; /* kstat name */
+ char kpe_module[KSTAT_STRLEN]; /* provider module name */
kstat_module_t *kpe_owner; /* kstat module linkage */
struct list_head kpe_list; /* kstat linkage */
struct proc_dir_entry *kpe_proc; /* procfs entry */
hrtime_t ks_crtime; /* creation time */
hrtime_t ks_snaptime; /* last access time */
int ks_instance; /* provider module instance */
- char ks_class[KSTAT_STRLEN+1]; /* kstat class */
+ char ks_class[KSTAT_STRLEN]; /* kstat class */
uchar_t ks_type; /* kstat data type */
uchar_t ks_flags; /* kstat flags */
void *ks_data; /* kstat type-specific data */
} kstat_io_t;
typedef struct kstat_timer {
- char name[KSTAT_STRLEN+1]; /* event name */
+ char name[KSTAT_STRLEN]; /* event name */
u_longlong_t num_events; /* number of events */
hrtime_t elapsed_time; /* cumulative elapsed time */
hrtime_t min_time; /* shortest event duration */
* to get the parent dataset name only.
*/
assert(bookp - path < sizeof (dsname));
- (void) strncpy(dsname, path, bookp - path);
- dsname[bookp - path] = '\0';
+ (void) strlcpy(dsname, path,
+ MIN(sizeof (dsname), bookp - path + 1));
/*
* Create handle for the parent dataset.
/* check to see if the pool exists */
if ((slash = strchr(parent, '/')) == NULL)
slash = parent + strlen(parent);
- (void) strncpy(zc.zc_name, parent, slash - parent);
- zc.zc_name[slash - parent] = '\0';
+ (void) strlcpy(zc.zc_name, parent,
+ MIN(sizeof (zc.zc_name), slash - parent + 1));
if (zfs_ioctl(hdl, ZFS_IOC_OBJSET_STATS, &zc) != 0 &&
errno == ENOENT) {
zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
zfs_handle_t *zhp;
di->ds = zfs_alloc(di->zhp->zfs_hdl, tdslen + 1);
- (void) strncpy(di->ds, tosnap, tdslen);
- di->ds[tdslen] = '\0';
+ (void) strlcpy(di->ds, tosnap, tdslen + 1);
zhp = zfs_open(hdl, di->ds, ZFS_TYPE_FILESYSTEM);
while (zhp != NULL) {
int dslen = fdslen ? fdslen : tdslen;
di->ds = zfs_alloc(hdl, dslen + 1);
- (void) strncpy(di->ds, fdslen ? fromsnap : tosnap, dslen);
- di->ds[dslen] = '\0';
+ (void) strlcpy(di->ds, fdslen ? fromsnap : tosnap, dslen + 1);
di->fromsnap = zfs_asprintf(hdl, "%s%s", di->ds, atptrf);
if (tsnlen) {
cv_init(&tq->tq_dispatch_cv, NULL, CV_DEFAULT, NULL);
cv_init(&tq->tq_wait_cv, NULL, CV_DEFAULT, NULL);
cv_init(&tq->tq_maxalloc_cv, NULL, CV_DEFAULT, NULL);
- (void) strncpy(tq->tq_name, name, TASKQ_NAMELEN);
+ (void) strlcpy(tq->tq_name, name, sizeof (tq->tq_name));
tq->tq_flags = flags | TASKQ_ACTIVE;
tq->tq_active = nthreads;
tq->tq_nthreads = nthreads;
"too long -- truncated to %d chars",
name, CB_MAXNAME);
#endif
- (void) strncpy(cp->c_name, name, CB_MAXNAME);
- cp->c_name[CB_MAXNAME] = '\0';
+ (void) strlcpy(cp->c_name, name, sizeof (cp->c_name));
/*
* Insert the new callb at the head of its class list.
} else {
if (p - osname >= MAXNAMELEN)
return (ENAMETOOLONG);
- (void) strncpy(poolname, osname, p - osname);
- poolname[p - osname] = '\0';
+ (void) strlcpy(poolname, osname, p - osname + 1);
}
return (0);
}
kfree(skc);
return (NULL);
}
- strncpy(skc->skc_name, name, skc->skc_name_size);
+ strlcpy(skc->skc_name, name, skc->skc_name_size);
skc->skc_ctor = ctor;
skc->skc_dtor = dtor;
module = kmem_alloc(sizeof (kstat_module_t), KM_SLEEP);
module->ksm_proc = pde;
- strlcpy(module->ksm_name, name, KSTAT_STRLEN+1);
+ strlcpy(module->ksm_name, name, KSTAT_STRLEN);
INIT_LIST_HEAD(&module->ksm_kstat_list);
list_add_tail(&module->ksm_module_list, &kstat_module_list);
kpep->kpe_owner = NULL;
kpep->kpe_proc = NULL;
INIT_LIST_HEAD(&kpep->kpe_list);
- strncpy(kpep->kpe_module, module, KSTAT_STRLEN);
- strncpy(kpep->kpe_name, name, KSTAT_STRLEN);
+ strlcpy(kpep->kpe_module, module, sizeof (kpep->kpe_module));
+ strlcpy(kpep->kpe_name, name, sizeof (kpep->kpe_name));
}
EXPORT_SYMBOL(kstat_proc_entry_init);
ksp->ks_crtime = gethrtime();
ksp->ks_snaptime = ksp->ks_crtime;
ksp->ks_instance = ks_instance;
- strncpy(ksp->ks_class, ks_class, KSTAT_STRLEN);
+ strlcpy(ksp->ks_class, ks_class, sizeof (ksp->ks_class));
ksp->ks_type = ks_type;
ksp->ks_flags = ks_flags;
ksp->ks_update = kstat_default_update;
return (NULL);
}
- strncpy(tp->tp_name, name, tp->tp_name_size);
+ strlcpy(tp->tp_name, name, tp->tp_name_size);
/*
* Strip trailing "_thread" from passed name which will be the func
zd = kmem_alloc(sizeof (zone_dataset_t) + dsnamelen + 1, KM_SLEEP);
zd->zd_dsnamelen = dsnamelen;
- strncpy(zd->zd_dsname, dataset, dsnamelen);
- zd->zd_dsname[dsnamelen] = '\0';
+ strlcpy(zd->zd_dsname, dataset, dsnamelen + 1);
INIT_LIST_HEAD(&zd->zd_list);
list_add_tail(&zd->zd_list, &zds->zds_datasets);
} else if (p[0] == '/') {
if (p - path >= ZFS_MAX_DATASET_NAME_LEN)
return (SET_ERROR(ENAMETOOLONG));
- (void) strncpy(component, path, p - path);
- component[p - path] = '\0';
+ (void) strlcpy(component, path, p - path + 1);
p++;
} else if (p[0] == '@') {
/*
return (SET_ERROR(EINVAL));
if (p - path >= ZFS_MAX_DATASET_NAME_LEN)
return (SET_ERROR(ENAMETOOLONG));
- (void) strncpy(component, path, p - path);
- component[p - path] = '\0';
+ (void) strlcpy(component, path, p - path + 1);
} else {
panic("invalid p=%p", (void *)p);
}
if (zfs_prop_get_type(prop) == PROP_TYPE_STRING) {
if (intsz != 1)
return (SET_ERROR(EOVERFLOW));
- (void) strncpy(buf, zfs_prop_default_string(prop),
+ (void) strlcpy(buf, zfs_prop_default_string(prop),
numints);
} else {
if (intsz != 8 || numints < 1)
if (flags & DSL_PROP_GET_LOCAL)
continue;
- (void) strncpy(buf, za.za_name, (suffix - za.za_name));
- buf[suffix - za.za_name] = '\0';
+ (void) strlcpy(buf, za.za_name,
+ MIN(sizeof (buf), suffix - za.za_name + 1));
propname = buf;
if (!(flags & DSL_PROP_GET_RECEIVED)) {
if (spa->spa_root == NULL)
buf[0] = '\0';
else
- (void) strncpy(buf, spa->spa_root, buflen);
+ (void) strlcpy(buf, spa->spa_root, buflen);
}
int
*/
int domain_len = strrchr(cp, '-') - cp;
domain_val = kmem_alloc(domain_len + 1, KM_SLEEP);
- (void) strncpy(domain_val, cp, domain_len);
- domain_val[domain_len] = '\0';
+ (void) strlcpy(domain_val, cp, domain_len + 1);
cp += domain_len + 1;
(void) ddi_strtoll(cp, &end, 10, (longlong_t *)rid);
/*
* Remove the @bla or /bla from the end of the name to get the parent.
*/
- (void) strncpy(parent, datasetname, parentsize);
+ (void) strlcpy(parent, datasetname, parentsize);
cp = strrchr(parent, '@');
if (cp != NULL) {
cp[0] = '\0';
if (handler) {
*record = handler->zi_record;
*id = handler->zi_id;
- (void) strncpy(name, spa_name(handler->zi_spa), buflen);
+ (void) strlcpy(name, spa_name(handler->zi_spa), buflen);
ret = 0;
} else {
ret = SET_ERROR(ENOENT);
}
if (argc > optind)
- strncpy(filename, argv[optind], MAXPATHLEN - 1);
+ strlcpy(filename, argv[optind], sizeof (filename));
else {
(void) fprintf(stderr, "A FILE must be specified.\n");
return (1);
return (ENOMEM);
if (realpath(argv[optind], abspath) != NULL)
- strncpy(filename, abspath, MAXPATHLEN - 1);
+ strlcpy(filename, abspath, sizeof (filename));
else
- strncpy(filename, argv[optind], MAXPATHLEN - 1);
+ strlcpy(filename, argv[optind], sizeof (filename));
free(abspath);
} else {
}
if (argc > optind)
- strncpy(filename, argv[optind], MAXPATHLEN - 1);
+ strlcpy(filename, argv[optind], sizeof (filename));
else {
(void) fprintf(stderr, "A FILE must be specified.\n");
return (1);
int error;
if (argc > optind)
- strncpy(filename, argv[optind], MAXPATHLEN - 1);
+ strlcpy(filename, argv[optind], sizeof (filename));
else {
(void) fprintf(stderr, "A FILE must be specified.\n");
return (1);
return (1);
}
- strncpy(filename, argv[optind], MAXPATHLEN - 1);
+ strlcpy(filename, argv[optind], sizeof (filename));
optind++;
error = read_map(filename, &allcfgs);
char srcfilename[MAXPATHLEN] = {0};
int merged = 0;
- strncpy(srcfilename, argv[optind], MAXPATHLEN - 1);
+ strlcpy(srcfilename, argv[optind], sizeof (srcfilename));
error = draid_merge_impl(allcfgs, srcfilename, &merged);
if (error) {
}
path = argv[1];
size = sizeof (sock.sun_path);
- strncpy(sock.sun_path, (char *)path, size - 1);
- sock.sun_path[size - 1] = '\0';
+ (void) snprintf(sock.sun_path, size, "%s", path);
sock.sun_family = AF_UNIX;
if ((fd = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) {