Re: [PATCH v8 2/6] util: Introduce read_file() and read_file_integer() function

[Yumei Huang <yuhuang@redhat.com>]

On Fri, Nov 14, 2025 at 8:01 AM Stefano Brivio <sbrivio@redhat.com> wrote:
>
> On Mon, 10 Nov 2025 17:31:33 +0800
> Yumei Huang <yuhuang@redhat.com> wrote:
>
> > Signed-off-by: Yumei Huang <yuhuang@redhat.com>
> > Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
> > ---
> >  util.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> >  util.h |  2 ++
> >  2 files changed, 88 insertions(+)
> >
> > diff --git a/util.c b/util.c
> > index 44c21a3..c4c849c 100644
> > --- a/util.c
> > +++ b/util.c
> > @@ -590,6 +590,92 @@ int write_file(const char *path, const char *buf)
> >       return len == 0 ? 0 : -1;
> >  }
> >
> > +/**
> > + * read_file() - Read contents of file into a NULL-terminated buffer
> > + * @path:    Path to file to read
> > + * @buf:     Buffer to store file contents
> > + * @buf_size:        Size of buffer
> > + *
> > + * Return: number of bytes read on success, -1 on error, -ENOBUFS on truncation
> > + */
> > +ssize_t read_file(const char *path, char *buf, size_t buf_size)
> > +{
> > +     int fd = open(path, O_RDONLY | O_CLOEXEC);
> > +     size_t total_read = 0;
> > +     ssize_t rc;
> > +
> > +     if (fd < 0) {
> > +             warn_perror("Could not open %s", path);
> > +             return -1;
> > +     }
> > +
> > +     while (total_read < buf_size) {
> > +             rc = read(fd, buf + total_read, buf_size - total_read);
>
> cppcheck rightfully says that:
>
> util.c:604:10: style: The scope of the variable 'rc' can be reduced. [variableScope]
>  ssize_t rc;
>          ^

Right.
Seems it also says:

tcp.c:2814:0: style: The function 'tcp_get_rto_params' should have
static linkage since it is not used outside of its translation unit.
[staticFunction]
void tcp_get_rto_params(struct ctx *c)
^
util.c:601:0: style: The function 'read_file' should have static
linkage since it is not used outside of its translation unit.
[staticFunction]
ssize_t read_file(const char *path, char *buf, size_t buf_size)

I understand read_file() may be called from other places in the
future. But do we need to add static now? I guess we need it for
tcp_get_rto_params().
>
> > +
> > +             if (rc < 0) {
> > +                     warn_perror("Couldn't read from %s", path);
> > +                     close(fd);
> > +                     return -1;
> > +             }
> > +
> > +             if (rc == 0)
> > +                     break;
> > +
> > +             total_read += rc;
> > +     }
> > +
> > +     close(fd);
> > +
> > +     if (total_read == buf_size) {
> > +             warn("File %s contents exceed buffer size %zu", path,
> > +                  buf_size);
> > +             buf[buf_size - 1] = '\0';
>
> I suggested we need this, but Coverity Scan points out that:
>
> ---
> /home/sbrivio/passt/util.c:631:3:
>   Type: Overflowed constant (INTEGER_OVERFLOW)
>
> /home/sbrivio/passt/util.c:606:2:
>   1. path: Condition "fd < 0", taking false branch.
> /home/sbrivio/passt/util.c:611:2:
>   2. path: Condition "total_read < buf_size", taking false branch.
> /home/sbrivio/passt/util.c:628:2:
>   3. path: Condition "total_read == buf_size", taking true branch.
> /home/sbrivio/passt/util.c:631:3:
>   4. overflow_const: Expression "buf_size - 1UL", where "buf_size" is known to be equal to 0, underflows the type of "buf_size - 1UL", which is type "unsigned long".
> ---

Somehow my Coverity Scan didn't complain about that.
>
> in the (faulty) case where somebody calls this with 0 as buf_size.
>
> On the other hand, the passed value of buf_size might be a result of a
> wrong calculation, and in that case we don't want to write some
> unrelated value on the stack of the caller or smash the stack.
>
> We could ASSERT(buf_size), but in the future we might abuse read_file()
> to just check that a file is there and can be read, instead of actually
> reading it.
>
> So maybe we could just return (after closing fd) before read() on
> !buf_size?

Sure. I can add that.
>
> > +             return -ENOBUFS;
> > +     }
> > +
> > +     buf[total_read] = '\0';
> > +
> > +     return total_read;
> > +}
> > +
> > +/**
> > + * read_file_integer() - Read an integer value from a file
> > + * @path:    Path to file to read
> > + * @fallback:        Default value if file can't be read
> > + *
> > + * Return: integer value, @fallback on failure
> > + */
> > +intmax_t read_file_integer(const char *path, intmax_t fallback)
> > +{
> > +     ssize_t bytes_read;
> > +     char buf[BUFSIZ];
> > +     intmax_t value;
> > +     char *end;
> > +
> > +     bytes_read = read_file(path, buf, sizeof(buf));
> > +
> > +     if (bytes_read < 0)
> > +             return fallback;
> > +
> > +     if (bytes_read == 0) {
> > +             debug("Empty file %s", path);
> > +             return fallback;
> > +     }
> > +
> > +     errno = 0;
> > +     value = strtoimax(buf, &end, 10);
> > +     if (*end && *end != '\n') {
> > +             debug("Non-numeric content in %s", path);
> > +             return fallback;
> > +     }
> > +     if (errno) {
> > +             debug("Out of range value in %s: %s", path, buf);
> > +             return fallback;
> > +     }
> > +
> > +     return value;
> > +}
> > +
> >  #ifdef __ia64__
> >  /* Needed by do_clone() below: glibc doesn't export the prototype of __clone2(),
> >   * use the description from clone(2).
> > diff --git a/util.h b/util.h
> > index a0b2ada..c1502cc 100644
> > --- a/util.h
> > +++ b/util.h
> > @@ -229,6 +229,8 @@ void pidfile_write(int fd, pid_t pid);
> >  int __daemon(int pidfile_fd, int devnull_fd);
> >  int fls(unsigned long x);
> >  int write_file(const char *path, const char *buf);
> > +ssize_t read_file(const char *path, char *buf, size_t buf_size);
> > +intmax_t read_file_integer(const char *path, intmax_t fallback);
> >  int write_all_buf(int fd, const void *buf, size_t len);
> >  int write_remainder(int fd, const struct iovec *iov, size_t iovcnt, size_t skip);
> >  int read_all_buf(int fd, void *buf, size_t len);
>
> --
> Stefano
>


-- 
Thanks,

Yumei Huang