From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Cc: passt-dev@passt.top
Subject: Re: [PATCH 2/8] treewide: Comply with CERT C rule ERR33-C for snprintf()
Date: Fri, 25 Oct 2024 11:48:55 +1100 [thread overview]
Message-ID: <Zxrq93F-BzVTydPJ@zatzit> (raw)
In-Reply-To: <20241024230438.3192725-3-sbrivio@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 9574 bytes --]
On Fri, Oct 25, 2024 at 01:04:32AM +0200, Stefano Brivio wrote:
> clang-tidy, starting from LLVM version 16, up to at least LLVM version
> 19, now checks that we detect and handle errors for snprintf() as
> requested by CERT C rule ERR33-C. These warnings were logged with LLVM
> version 19.1.2 (at least Debian and Fedora match):
>
> /home/sbrivio/passt/arch.c:43:3: error: the value returned by this function should not be disregarded; neglecting it may lead to errors [cert-err33-c,-warnings-as-errors]
> 43 | snprintf(new_path, PATH_MAX + sizeof(".avx2"), "%s.avx2", exe);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> /home/sbrivio/passt/arch.c:43:3: note: cast the expression to void to silence this warning
> /home/sbrivio/passt/conf.c:577:4: error: the value returned by this function should not be disregarded; neglecting it may lead to errors [cert-err33-c,-warnings-as-errors]
> 577 | snprintf(netns, PATH_MAX, "/proc/%ld/ns/net", pidval);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> /home/sbrivio/passt/conf.c:577:4: note: cast the expression to void to silence this warning
> /home/sbrivio/passt/conf.c:579:5: error: the value returned by this function should not be disregarded; neglecting it may lead to errors [cert-err33-c,-warnings-as-errors]
> 579 | snprintf(userns, PATH_MAX, "/proc/%ld/ns/user",
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 580 | pidval);
> | ~~~~~~~
> /home/sbrivio/passt/conf.c:579:5: note: cast the expression to void to silence this warning
> /home/sbrivio/passt/pasta.c:105:2: error: the value returned by this function should not be disregarded; neglecting it may lead to errors [cert-err33-c,-warnings-as-errors]
> 105 | snprintf(ns, PATH_MAX, "/proc/%i/ns/net", pasta_child_pid);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> /home/sbrivio/passt/pasta.c:105:2: note: cast the expression to void to silence this warning
> /home/sbrivio/passt/pasta.c:242:2: error: the value returned by this function should not be disregarded; neglecting it may lead to errors [cert-err33-c,-warnings-as-errors]
> 242 | snprintf(uidmap, BUFSIZ, "0 %u 1", uid);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> /home/sbrivio/passt/pasta.c:242:2: note: cast the expression to void to silence this warning
> /home/sbrivio/passt/pasta.c:243:2: error: the value returned by this function should not be disregarded; neglecting it may lead to errors [cert-err33-c,-warnings-as-errors]
> 243 | snprintf(gidmap, BUFSIZ, "0 %u 1", gid);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> /home/sbrivio/passt/pasta.c:243:2: note: cast the expression to void to silence this warning
> /home/sbrivio/passt/tap.c:1155:4: error: the value returned by this function should not be disregarded; neglecting it may lead to errors [cert-err33-c,-warnings-as-errors]
> 1155 | snprintf(path, UNIX_PATH_MAX - 1, UNIX_SOCK_PATH, i);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> /home/sbrivio/passt/tap.c:1155:4: note: cast the expression to void to silence this warning
>
> Don't silence the warnings as they might actually have some merit. Add
> an snprintf_check() function, instead, checking that we're not
> truncating messages while printing to buffers and terminating if we
> do.
Huh, I wonder why I wasn't seeing these with clang 18.1.8.1. Still,
LGTM except for a couple of nits.
>
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
> ---
> arch.c | 4 +++-
> conf.c | 11 +++++++----
> pasta.c | 7 ++++---
> tap.c | 8 +++++---
> util.c | 22 ++++++++++++++++++++++
> util.h | 3 +++
> 6 files changed, 44 insertions(+), 11 deletions(-)
>
> diff --git a/arch.c b/arch.c
> index 04bebfc..edbe666 100644
> --- a/arch.c
> +++ b/arch.c
> @@ -19,6 +19,7 @@
> #include <unistd.h>
>
> #include "log.h"
> +#include "util.h"
>
> /**
> * arch_avx2_exec() - Switch to AVX2 build if supported
> @@ -40,7 +41,8 @@ void arch_avx2_exec(char **argv)
> if (__builtin_cpu_supports("avx2")) {
> char new_path[PATH_MAX + sizeof(".avx2")];
>
> - snprintf(new_path, PATH_MAX + sizeof(".avx2"), "%s.avx2", exe);
> + snprintf_check("Can't build AVX2 executable path", new_path,
For all of these messages I'd suggest "XXX path is too long" rather
than just "Can't build XXX path" in order to be more explicit and give
users a clue to a workaround.
> + PATH_MAX + sizeof(".avx2"), "%s.avx2", exe);
> execve(new_path, argv, environ);
> warn_perror("Can't run AVX2 build, using non-AVX2 version");
> }
> diff --git a/conf.c b/conf.c
> index b3b5342..2122600 100644
> --- a/conf.c
> +++ b/conf.c
> @@ -574,10 +574,13 @@ static void conf_pasta_ns(int *netns_only, char *userns, char *netns,
> if (pidval < 0 || pidval > INT_MAX)
> die("Invalid PID %s", argv[optind]);
>
> - snprintf(netns, PATH_MAX, "/proc/%ld/ns/net", pidval);
> - if (!*userns)
> - snprintf(userns, PATH_MAX, "/proc/%ld/ns/user",
> - pidval);
> + snprintf_check("Can't build netns path", netns,
> + PATH_MAX, "/proc/%ld/ns/net", pidval);
> + if (!*userns) {
> + snprintf_check("Can't build userns path",
> + userns, PATH_MAX,
> + "/proc/%ld/ns/user", pidval);
> + }
> }
> }
>
> diff --git a/pasta.c b/pasta.c
> index 307fb4a..ce9ae7a 100644
> --- a/pasta.c
> +++ b/pasta.c
> @@ -102,7 +102,8 @@ static int pasta_wait_for_ns(void *arg)
> int flags = O_RDONLY | O_CLOEXEC;
> char ns[PATH_MAX];
>
> - snprintf(ns, PATH_MAX, "/proc/%i/ns/net", pasta_child_pid);
> + snprintf_check("Can't build netns path", ns,
> + PATH_MAX, "/proc/%i/ns/net", pasta_child_pid);
> do {
> while ((c->pasta_netns_fd = open(ns, flags)) < 0) {
> if (errno != ENOENT)
> @@ -239,8 +240,8 @@ void pasta_start_ns(struct ctx *c, uid_t uid, gid_t gid,
> c->quiet = 1;
>
> /* Configure user and group mappings */
> - snprintf(uidmap, BUFSIZ, "0 %u 1", uid);
> - snprintf(gidmap, BUFSIZ, "0 %u 1", gid);
> + snprintf_check("Can't build uidmap", uidmap, BUFSIZ, "0 %u 1", uid);
> + snprintf_check("Can't build gidmap", gidmap, BUFSIZ, "0 %u 1", gid);
>
> if (write_file("/proc/self/uid_map", uidmap) ||
> write_file("/proc/self/setgroups", "deny") ||
> diff --git a/tap.c b/tap.c
> index c53a39b..51eb134 100644
> --- a/tap.c
> +++ b/tap.c
> @@ -1149,10 +1149,12 @@ int tap_sock_unix_open(char *sock_path)
> char *path = addr.sun_path;
> int ex, ret;
>
> - if (*sock_path)
> + if (*sock_path) {
> memcpy(path, sock_path, UNIX_PATH_MAX);
> - else
> - snprintf(path, UNIX_PATH_MAX - 1, UNIX_SOCK_PATH, i);
> + } else {
> + snprintf_check("Can't build UNIX domain path", path,
I'd suggest explicitly saying "Unix domain _socket_",
> + UNIX_PATH_MAX - 1, UNIX_SOCK_PATH, i);
> + }
>
> ex = socket(AF_UNIX, SOCK_STREAM | SOCK_NONBLOCK, 0);
> if (ex < 0)
> diff --git a/util.c b/util.c
> index eba7d52..eff6787 100644
> --- a/util.c
> +++ b/util.c
> @@ -749,3 +749,25 @@ void close_open_files(int argc, char **argv)
> if (rc)
> die_perror("Failed to close files leaked by parent");
> }
> +
> +/**
> + * snprintf_check() - snprintf() wrapper, terminating on truncation
> + * @errmsg: Error string to be printed while terminating
> + * @str: Output buffer
> + * @size: Maximum size to write to @str
> + * @format: Message
> + */
> +void snprintf_check(const char *errstr,
> + char *str, size_t size, const char *format, ...)
YMMV, but I always find passing a format / error string into a
function that's not primarily about error handling kind of clunky.
How much bulkier would it be to make this wrapper return a boolean and
do an explicit:
if (!sprintf_check(...))
die("blah blah blah");
at the call sites? It might make the control flow a little more
obvious, and means we could add parameters to the error message if
there are cases where that makes sense.
> +{
> + va_list ap;
> + int rc;
> +
> + va_start(ap, format);
> +
> + rc = snprintf(str, size, format, ap);
> + if (rc < 0 || (size_t)rc >= size)
> + die("%s", errstr);
> +
> + va_end(ap);
> +}
> diff --git a/util.h b/util.h
> index 2c1e08e..8449d00 100644
> --- a/util.h
> +++ b/util.h
> @@ -11,6 +11,7 @@
> #include <stdbool.h>
> #include <stddef.h>
> #include <stdint.h>
> +#include <stdio.h>
> #include <string.h>
> #include <signal.h>
> #include <arpa/inet.h>
> @@ -200,6 +201,8 @@ int write_file(const char *path, const char *buf);
> int write_all_buf(int fd, const void *buf, size_t len);
> int write_remainder(int fd, const struct iovec *iov, size_t iovcnt, size_t skip);
> void close_open_files(int argc, char **argv);
> +void snprintf_check(const char *errstr,
> + char *str, size_t size, const char *format, ...);
>
> /**
> * af_name() - Return name of an address family
--
David Gibson (he or they) | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you, not the other way
| around.
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2024-10-25 0:52 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-24 23:04 [PATCH 0/8] Take care of clang-tidy warnings with LLVM >= 16 Stefano Brivio
2024-10-24 23:04 ` [PATCH 1/8] Makefile: Exclude qrap.c from clang-tidy checks Stefano Brivio
2024-10-25 0:35 ` David Gibson
2024-10-24 23:04 ` [PATCH 2/8] treewide: Comply with CERT C rule ERR33-C for snprintf() Stefano Brivio
2024-10-25 0:48 ` David Gibson [this message]
2024-10-25 7:53 ` Stefano Brivio
2024-10-24 23:04 ` [PATCH 3/8] treewide: Silence cert-err33-c clang-tidy warnings for fprintf() Stefano Brivio
2024-10-25 0:52 ` David Gibson
2024-10-24 23:04 ` [PATCH 4/8] Makefile: Disable readability-math-missing-parentheses clang-tidy check Stefano Brivio
2024-10-25 0:53 ` David Gibson
2024-10-25 7:53 ` Stefano Brivio
2024-10-24 23:04 ` [PATCH 5/8] treewide: Suppress clang-tidy warning if we already use O_CLOEXEC or if we can't Stefano Brivio
2024-10-24 23:04 ` [PATCH 6/8] treewide: Address cert-err33-c clang-tidy warnings for clock and timer functions Stefano Brivio
2024-10-25 1:00 ` David Gibson
2024-10-25 7:53 ` Stefano Brivio
2024-10-24 23:04 ` [PATCH 7/8] udp: Take care of cert-int09-c clang-tidy warning for enum udp_iov_idx Stefano Brivio
2024-10-25 1:02 ` David Gibson
2024-10-25 7:53 ` Stefano Brivio
2024-10-24 23:04 ` [PATCH 8/8] util: Don't use errno after a successful call in __daemon() Stefano Brivio
2024-10-25 1:04 ` David Gibson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zxrq93F-BzVTydPJ@zatzit \
--to=david@gibson.dropbear.id.au \
--cc=passt-dev@passt.top \
--cc=sbrivio@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).