source3/include/safe_string.h

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Safe string handling routines.
   4    Copyright (C) Andrew Tridgell 1994-1998
   5    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 3 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 */
  20
  21 #ifndef _SAFE_STRING_H
  22 #define _SAFE_STRING_H
  23
  24 #ifndef _SPLINT_ /* http://www.splint.org */
  25
  26 /* Some macros to ensure people don't use buffer overflow vulnerable string
  27    functions. */
  28
  29 #ifdef bcopy
  30 #undef bcopy
  31 #endif /* bcopy */
  32 #define bcopy(src,dest,size) __ERROR__XX__NEVER_USE_BCOPY___;
  33
  34 #ifdef strcpy
  35 #undef strcpy
  36 #endif /* strcpy */
  37 #define strcpy(dest,src) __ERROR__XX__NEVER_USE_STRCPY___;
  38
  39 #ifdef strcat
  40 #undef strcat
  41 #endif /* strcat */
  42 #define strcat(dest,src) __ERROR__XX__NEVER_USE_STRCAT___;
  43
  44 #ifdef sprintf
  45 #undef sprintf
  46 #endif /* sprintf */
  47 #define sprintf __ERROR__XX__NEVER_USE_SPRINTF__;
  48
  49 /*
  50  * strcasecmp/strncasecmp aren't an error, but it means you're not thinking about
  51  * multibyte. Don't use them. JRA.
  52  */
  53 #ifdef strcasecmp
  54 #undef strcasecmp
  55 #endif
  56 #define strcasecmp __ERROR__XX__NEVER_USE_STRCASECMP__;
  57
  58 #ifdef strncasecmp
  59 #undef strncasecmp
  60 #endif
  61 #define strncasecmp __ERROR__XX__NEVER_USE_STRNCASECMP__;
  62
  63 #endif /* !_SPLINT_ */
  64
  65 #ifdef DEVELOPER
  66 #define SAFE_STRING_FUNCTION_NAME FUNCTION_MACRO
  67 #define SAFE_STRING_LINE __LINE__
  68 #else
  69 #define SAFE_STRING_FUNCTION_NAME ("")
  70 #define SAFE_STRING_LINE (0)
  71 #endif
  72
  73 /* We need a number of different prototypes for our
  74    non-existant fuctions */
  75 char * __unsafe_string_function_usage_here__(void);
  76
  77 size_t __unsafe_string_function_usage_here_size_t__(void);
  78
  79 size_t __unsafe_string_function_usage_here_char__(void);
  80
  81 #ifdef HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS
  82
  83 /* if the compiler will optimize out function calls, then use this to tell if we are
  84    have the correct types (this works only where sizeof() returns the size of the buffer, not
  85    the size of the pointer). */
  86
  87 #define CHECK_STRING_SIZE(d, len) (sizeof(d) != (len) && sizeof(d) != sizeof(char *))
  88
  89 #else /* HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS */
  90
  91 #endif /* HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS */
  92
  93 #define safe_strcpy_base(dest, src, base, size) \
  94     safe_strcpy(dest, src, size-PTR_DIFF(dest,base)-1)
  95
  96 /* String copy functions - macro hell below adds 'type checking' (limited,
  97    but the best we can do in C) and may tag with function name/number to
  98    record the last 'clobber region' on that string */
  99
 100 #define fstrcpy(d,s) safe_strcpy((d),(s),sizeof(fstring)-1)
 101 #define fstrcat(d,s) safe_strcat((d),(s),sizeof(fstring)-1)
 102 #define nstrcpy(d,s) safe_strcpy((d), (s),sizeof(nstring)-1)
 103 #define unstrcpy(d,s) safe_strcpy((d), (s),sizeof(unstring)-1)
 104
 105 /* the addition of the DEVELOPER checks in safe_strcpy means we must
 106  * update a lot of code. To make this a little easier here are some
 107  * functions that provide the lengths with less pain */
 108
 109 /* Inside the _fn variants of these is a call to clobber_region(), -
 110  * which might destroy the stack on a buggy function.  We help the
 111  * debugging process by putting the function and line who last caused
 112  * a clobbering into a static buffer.  If the program crashes at
 113  * address 0xf1f1f1f1 then this function is probably, but not
 114  * necessarily, to blame. */
 115
 116 /* overmalloc_safe_strcpy: DEPRECATED!  Used when you know the
 117  * destination buffer is longer than maxlength, but you don't know how
 118  * long.  This is not a good situation, because we can't do the normal
 119  * sanity checks. Don't use in new code! */
 120
 121 #define overmalloc_safe_strcpy(dest,src,maxlength) \
 122         safe_strcpy_fn(SAFE_STRING_FUNCTION_NAME, SAFE_STRING_LINE, \
 123                         dest,src,maxlength)
 124
 125 #define safe_strcpy(dest,src,maxlength) \
 126         safe_strcpy_fn2(SAFE_STRING_FUNCTION_NAME, SAFE_STRING_LINE, \
 127                         dest,src,maxlength)
 128
 129 #define safe_strcat(dest,src,maxlength) \
 130         safe_strcat_fn2(SAFE_STRING_FUNCTION_NAME, SAFE_STRING_LINE, \
 131                         dest,src,maxlength)
 132
 133 #define push_string_check(dest, src, dest_len, flags) \
 134         push_string_check_fn2(SAFE_STRING_FUNCTION_NAME, SAFE_STRING_LINE, \
 135                         dest, src, dest_len, flags)
 136
 137 #define pull_string_talloc(ctx, base_ptr, smb_flags2, dest, src, src_len, flags) \
 138         pull_string_talloc_fn2(SAFE_STRING_FUNCTION_NAME, SAFE_STRING_LINE, \
 139                         ctx, base_ptr, smb_flags2, dest, src, src_len, flags)
 140
 141 #define clistr_push(cli, dest, src, dest_len, flags) \
 142         clistr_push_fn2(SAFE_STRING_FUNCTION_NAME, SAFE_STRING_LINE, \
 143                         cli, dest, src, dest_len, flags)
 144
 145 #define clistr_pull(inbuf, dest, src, dest_len, src_len, flags) \
 146         clistr_pull_fn2(SAFE_STRING_FUNCTION_NAME, SAFE_STRING_LINE, \
 147                         inbuf, dest, src, dest_len, src_len, flags)
 148
 149 #define clistr_pull_talloc(ctx, inbuf, pp_dest, src, src_len, flags) \
 150         clistr_pull_talloc_fn(SAFE_STRING_FUNCTION_NAME, SAFE_STRING_LINE, \
 151                         ctx, inbuf, pp_dest, src, src_len, flags)
 152
 153 #define srvstr_push(base_ptr, smb_flags2, dest, src, dest_len, flags) \
 154         srvstr_push_fn2(SAFE_STRING_FUNCTION_NAME, SAFE_STRING_LINE, \
 155                         base_ptr, smb_flags2, dest, src, dest_len, flags)
 156
 157 #define alpha_strcpy(dest,src,other_safe_chars,maxlength) \
 158         alpha_strcpy_fn(SAFE_STRING_FUNCTION_NAME,SAFE_STRING_LINE, \
 159                         dest,src,other_safe_chars,maxlength)
 160
 161 #define StrnCpy(dest,src,n) \
 162         StrnCpy_fn(SAFE_STRING_FUNCTION_NAME,SAFE_STRING_LINE, \
 163                         dest,src,n)
 164
 165 #ifdef HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS
 166
 167 /* if the compiler will optimize out function calls, then use this to tell if we are
 168    have the correct types (this works only where sizeof() returns the size of the buffer, not
 169    the size of the pointer). */
 170
 171 #define safe_strcpy_fn2(fn_name, fn_line, d, s, max_len) \
 172     (CHECK_STRING_SIZE(d, max_len+1) \
 173     ? __unsafe_string_function_usage_here__() \
 174     : safe_strcpy_fn(fn_name, fn_line, (d), (s), (max_len)))
 175
 176 #define safe_strcat_fn2(fn_name, fn_line, d, s, max_len) \
 177     (CHECK_STRING_SIZE(d, max_len+1) \
 178     ? __unsafe_string_function_usage_here__() \
 179     : safe_strcat_fn(fn_name, fn_line, (d), (s), (max_len)))
 180
 181 #define push_string_check_fn2(fn_name, fn_line, dest, src, dest_len, flags) \
 182     (CHECK_STRING_SIZE(dest, dest_len) \
 183     ? __unsafe_string_function_usage_here_size_t__() \
 184     : push_string_check_fn(fn_name, fn_line, dest, src, dest_len, flags))
 185
 186 #define pull_string_talloc_fn2(fn_name, fn_line, ctx, base_ptr, smb_flags2, dest, src, src_len, flags) \
 187     pull_string_talloc_fn(fn_name, fn_line, ctx, base_ptr, smb_flags2, dest, src, src_len, flags)
 188
 189 #define clistr_push_fn2(fn_name, fn_line, cli, dest, src, dest_len, flags) \
 190     (CHECK_STRING_SIZE(dest, dest_len) \
 191     ? __unsafe_string_function_usage_here_size_t__() \
 192     : clistr_push_fn(fn_name, fn_line, cli, dest, src, dest_len, flags))
 193
 194 #define clistr_pull_fn2(fn_name, fn_line, inbuf, dest, src, dest_len, srclen, flags) \
 195     (CHECK_STRING_SIZE(dest, dest_len) \
 196     ? __unsafe_string_function_usage_here_size_t__() \
 197     : clistr_pull_fn(fn_name, fn_line, inbuf, dest, src, dest_len, srclen, flags))
 198
 199 #define srvstr_push_fn2(fn_name, fn_line, base_ptr, smb_flags2, dest, src, dest_len, flags) \
 200     (CHECK_STRING_SIZE(dest, dest_len) \
 201     ? __unsafe_string_function_usage_here_size_t__() \
 202     : srvstr_push_fn(fn_name, fn_line, base_ptr, smb_flags2, dest, src, dest_len, flags))
 203
 204 #else
 205
 206 #define safe_strcpy_fn2 safe_strcpy_fn
 207 #define safe_strcat_fn2 safe_strcat_fn
 208 #define push_string_check_fn2 push_string_check_fn
 209 #define pull_string_talloc_fn2 pull_string_talloc_fn
 210 #define clistr_push_fn2 clistr_push_fn
 211 #define clistr_pull_fn2 clistr_pull_fn
 212 #define srvstr_push_fn2 srvstr_push_fn
 213
 214 #endif
 215
 216 #endif