2 Unix SMB/CIFS implementation.
3 Safe string handling routines.
4 Copyright (C) Andrew Tridgell 1994-1998
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #ifndef _SAFE_STRING_H
22 #define _SAFE_STRING_H
24 #ifndef _SPLINT_ /* http://www.splint.org */
26 /* Some macros to ensure people don't use buffer overflow vulnerable string
32 #define bcopy(src,dest,size) __ERROR__XX__NEVER_USE_BCOPY___;
37 #define strcpy(dest,src) __ERROR__XX__NEVER_USE_STRCPY___;
42 #define strcat(dest,src) __ERROR__XX__NEVER_USE_STRCAT___;
47 #define sprintf __ERROR__XX__NEVER_USE_SPRINTF__;
50 * strcasecmp/strncasecmp aren't an error, but it means you're not thinking about
51 * multibyte. Don't use them. JRA.
56 #define strcasecmp __ERROR__XX__NEVER_USE_STRCASECMP__;
61 #define strncasecmp __ERROR__XX__NEVER_USE_STRNCASECMP__;
63 #endif /* !_SPLINT_ */
66 #define SAFE_STRING_FUNCTION_NAME __FUNCTION__
67 #define SAFE_STRING_LINE __LINE__
69 #define SAFE_STRING_FUNCTION_NAME ("")
70 #define SAFE_STRING_LINE (0)
73 /* We need a number of different prototypes for our
74 non-existant fuctions */
75 char * __unsafe_string_function_usage_here__(void);
77 size_t __unsafe_string_function_usage_here_size_t__(void);
79 size_t __unsafe_string_function_usage_here_char__(void);
81 #ifdef HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS
83 /* if the compiler will optimize out function calls, then use this to tell if we are
84 have the correct types (this works only where sizeof() returns the size of the buffer, not
85 the size of the pointer). */
87 #define CHECK_STRING_SIZE(d, len) (sizeof(d) != (len) && sizeof(d) != sizeof(char *))
89 #else /* HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS */
91 #endif /* HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS */
93 #define safe_strcpy_base(dest, src, base, size) \
94 safe_strcpy(dest, src, size-PTR_DIFF(dest,base)-1)
96 /* String copy functions - macro hell below adds 'type checking' (limited,
97 but the best we can do in C) and may tag with function name/number to
98 record the last 'clobber region' on that string */
100 #define fstrcpy(d,s) safe_strcpy((d),(s),sizeof(fstring)-1)
101 #define fstrcat(d,s) safe_strcat((d),(s),sizeof(fstring)-1)
102 #define nstrcpy(d,s) safe_strcpy((d), (s),sizeof(nstring)-1)
103 #define unstrcpy(d,s) safe_strcpy((d), (s),sizeof(unstring)-1)
105 /* the addition of the DEVELOPER checks in safe_strcpy means we must
106 * update a lot of code. To make this a little easier here are some
107 * functions that provide the lengths with less pain */
109 /* Inside the _fn variants of these is a call to clobber_region(), -
110 * which might destroy the stack on a buggy function. We help the
111 * debugging process by putting the function and line who last caused
112 * a clobbering into a static buffer. If the program crashes at
113 * address 0xf1f1f1f1 then this function is probably, but not
114 * necessarily, to blame. */
116 /* overmalloc_safe_strcpy: DEPRECATED! Used when you know the
117 * destination buffer is longer than maxlength, but you don't know how
118 * long. This is not a good situation, because we can't do the normal
119 * sanity checks. Don't use in new code! */
121 #define overmalloc_safe_strcpy(dest,src,maxlength) \
122 safe_strcpy_fn(SAFE_STRING_FUNCTION_NAME, SAFE_STRING_LINE, \
125 #define safe_strcpy(dest,src,maxlength) \
126 safe_strcpy_fn2(SAFE_STRING_FUNCTION_NAME, SAFE_STRING_LINE, \
129 #define safe_strcat(dest,src,maxlength) \
130 safe_strcat_fn2(SAFE_STRING_FUNCTION_NAME, SAFE_STRING_LINE, \
133 #define push_string_check(dest, src, dest_len, flags) \
134 push_string_check_fn2(SAFE_STRING_FUNCTION_NAME, SAFE_STRING_LINE, \
135 dest, src, dest_len, flags)
137 #define pull_string_talloc(ctx, base_ptr, smb_flags2, dest, src, src_len, flags) \
138 pull_string_talloc_fn2(SAFE_STRING_FUNCTION_NAME, SAFE_STRING_LINE, \
139 ctx, base_ptr, smb_flags2, dest, src, src_len, flags)
141 #define clistr_push(cli, dest, src, dest_len, flags) \
142 clistr_push_fn2(SAFE_STRING_FUNCTION_NAME, SAFE_STRING_LINE, \
143 cli, dest, src, dest_len, flags)
145 #define clistr_pull(inbuf, dest, src, dest_len, src_len, flags) \
146 clistr_pull_fn2(SAFE_STRING_FUNCTION_NAME, SAFE_STRING_LINE, \
147 inbuf, dest, src, dest_len, src_len, flags)
149 #define clistr_pull_talloc(ctx, base, flags2, pp_dest, src, src_len, flags) \
150 clistr_pull_talloc_fn(SAFE_STRING_FUNCTION_NAME, SAFE_STRING_LINE, \
151 ctx, base, flags2, pp_dest, src, src_len, flags)
153 #define srvstr_push(base_ptr, smb_flags2, dest, src, dest_len, flags) \
154 srvstr_push_fn2(SAFE_STRING_FUNCTION_NAME, SAFE_STRING_LINE, \
155 base_ptr, smb_flags2, dest, src, dest_len, flags)
157 #define alpha_strcpy(dest,src,other_safe_chars,maxlength) \
158 alpha_strcpy_fn(SAFE_STRING_FUNCTION_NAME,SAFE_STRING_LINE, \
159 dest,src,other_safe_chars,maxlength)
161 #define StrnCpy(dest,src,n) \
162 StrnCpy_fn(SAFE_STRING_FUNCTION_NAME,SAFE_STRING_LINE, \
165 #ifdef HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS
167 /* if the compiler will optimize out function calls, then use this to tell if we are
168 have the correct types (this works only where sizeof() returns the size of the buffer, not
169 the size of the pointer). */
171 #define safe_strcpy_fn2(fn_name, fn_line, d, s, max_len) \
172 (CHECK_STRING_SIZE(d, max_len+1) \
173 ? __unsafe_string_function_usage_here__() \
174 : safe_strcpy_fn(fn_name, fn_line, (d), (s), (max_len)))
176 #define safe_strcat_fn2(fn_name, fn_line, d, s, max_len) \
177 (CHECK_STRING_SIZE(d, max_len+1) \
178 ? __unsafe_string_function_usage_here__() \
179 : safe_strcat_fn(fn_name, fn_line, (d), (s), (max_len)))
181 #define push_string_check_fn2(fn_name, fn_line, dest, src, dest_len, flags) \
182 (CHECK_STRING_SIZE(dest, dest_len) \
183 ? __unsafe_string_function_usage_here_size_t__() \
184 : push_string_check_fn(fn_name, fn_line, dest, src, dest_len, flags))
186 #define pull_string_talloc_fn2(fn_name, fn_line, ctx, base_ptr, smb_flags2, dest, src, src_len, flags) \
187 pull_string_talloc_fn(fn_name, fn_line, ctx, base_ptr, smb_flags2, dest, src, src_len, flags)
189 #define clistr_push_fn2(fn_name, fn_line, cli, dest, src, dest_len, flags) \
190 (CHECK_STRING_SIZE(dest, dest_len) \
191 ? __unsafe_string_function_usage_here_size_t__() \
192 : clistr_push_fn(fn_name, fn_line, cli, dest, src, dest_len, flags))
194 #define clistr_pull_fn2(fn_name, fn_line, inbuf, dest, src, dest_len, srclen, flags) \
195 (CHECK_STRING_SIZE(dest, dest_len) \
196 ? __unsafe_string_function_usage_here_size_t__() \
197 : clistr_pull_fn(fn_name, fn_line, inbuf, dest, src, dest_len, srclen, flags))
199 #define srvstr_push_fn2(fn_name, fn_line, base_ptr, smb_flags2, dest, src, dest_len, flags) \
200 (CHECK_STRING_SIZE(dest, dest_len) \
201 ? __unsafe_string_function_usage_here_size_t__() \
202 : srvstr_push_fn(fn_name, fn_line, base_ptr, smb_flags2, dest, src, dest_len, flags))
206 #define safe_strcpy_fn2 safe_strcpy_fn
207 #define safe_strcat_fn2 safe_strcat_fn
208 #define push_string_check_fn2 push_string_check_fn
209 #define pull_string_talloc_fn2 pull_string_talloc_fn
210 #define clistr_push_fn2 clistr_push_fn
211 #define clistr_pull_fn2 clistr_pull_fn
212 #define srvstr_push_fn2 srvstr_push_fn