At Mon, 22 Mar 2010 19:54:30 +0300,
Dan Carpenter wrote:
>
> On Mon, Mar 22, 2010 at 05:04:55PM +0100, Takashi Iwai wrote:
> > At Mon, 22 Mar 2010 08:43:47 -0700,
> > Joe Perches wrote:
> > >
> > > On Mon, 2010-03-22 at 18:39 +0300, Dan Carpenter wrote:
> > > > card->driver is 15 characters and a NULL, the original code could
> > > > cause a buffer overflow.
> > >
> > > > In version 2, I used a better name that Takashi Iwai suggested.
> > >
> > > Perhaps it's better to use strncpy as well.
> >
> > strlcpy() would be safer :)
> >
> > But, in such a case, we want rather that the error is notified at
> > build time.
> >
> > Maybe a macro like below would be helpful to catch such bugs?
> >
> > #define COPY_STRING(buf, src) \
> > do { \
> > if (__builtin_constant_p(src)) \
> > BUILD_BUG_ON(strlen(src) >= sizeof(buf)); \
> > strcpy(buf, src); \
> > } while (0)
> >
> > and used like:
> >
> > struct foo {
> > char foo[5];
> > } x;
> >
> > COPY_STRING(x.foo, "OK"); // OK
> > COPY_STRING(x.foo, "1234567890"); // NG
> >
>
> I can do the same thing with Smatch. The smatch check can also find
> bugs like this:
>
> buf = kmalloc(10, GFP_KERNEL);
> strcpy(buf, "1234567890");
>
> I used smatch to find this bug and 5 others on my allmodconfig w/ staging.
> I also found 19 other places that use strcpy() to copy from a large buffer
> into a smaller buffer.
Ah, nice.
> Your idea is nice, but I think anyone who deliberately uses the new
> macro is not going to have the bug in the first place. ;)
Yeah, in theory, such a code should be never committed because it
can be caught at build time ;)
Takashi
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
