Commit Graph

19 Commits

Author SHA1 Message Date
FRIGN
32b9d76747 Audit strings(1)
Only smaller style-changes. I already refactored the underlying
logic a while ago.
2015-03-17 23:05:50 +01:00
FRIGN
833c2aebb4 Remove mallocarray(...) and use reallocarray(NULL, ...)
After a short correspondence with Otto Moerbeek it turned out
mallocarray() is only in the OpenBSD-Kernel, because the kernel-
malloc doesn't have realloc.
Userspace applications should rather use reallocarray with an
explicit NULL-pointer.

Assuming reallocarray() will become available in c-stdlibs in the
next few years, we nip mallocarray() in the bud to allow an easy
transition to a system-provided version when the day comes.
2015-03-11 10:50:18 +01:00
FRIGN
3c33abc520 Implement mallocarray()
A function used only in the OpenBSD-Kernel as of now, but it surely
provides a helpful interface when you just don't want to make sure
the incoming pointer to erealloc() is really NULL so it behaves
like malloc, making it a bit more safer.

Talking about *allocarray(): It's definitely a major step in code-
hardening. Especially as a system administrator, you should be
able to trust your core tools without having to worry about segfaults
like this, which can easily lead to privilege escalation.

How do the GNU coreutils handle this?
$ strings -n 4611686018427387903
strings: invalid minimum string length -1
$ strings -n 4611686018427387904
strings: invalid minimum string length 0

They silently overflow...

In comparison, sbase:

$ strings -n 4611686018427387903
mallocarray: out of memory
$ strings -n 4611686018427387904
mallocarray: out of memory

The first out of memory is actually a true OOM returned by malloc,
whereas the second one is a detected overflow, which is not marked
in a special way.
Now tell me which diagnostic error-messages are easier to understand.
2015-03-10 22:19:19 +01:00
FRIGN
3b825735d8 Implement reallocarray()
Stateless and I stumbled upon this issue while discussing the
semantics of read, accepting a size_t but only being able to return
ssize_t, effectively lacking the ability to report successful
reads > SSIZE_MAX.
The discussion went along and we came to the topic of input-based
memory allocations. Basically, it was possible for the argument
to a memory-allocation-function to overflow, leading to a segfault
later.
The OpenBSD-guys came up with the ingenious reallocarray-function,
and I implemented it as ereallocarray, which automatically returns
on error.
Read more about it here[0].

A simple testcase is this (courtesy to stateless):
$ sbase-strings -n (2^(32|64) / 4)

This will segfault before this patch and properly return an OOM-
situation afterwards (thanks to the overflow-check in reallocarray).

[0]: http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man3/calloc.3
2015-03-10 21:23:36 +01:00
FRIGN
ef23f966c5 Refactor strings(1) loop again
fixing a little out-of-bounds write.
2015-02-17 18:18:54 +01:00
FRIGN
439bf8a157 Fix small issue in strings(1) loop
It wouldn't print the len'th character.
2015-02-17 18:11:59 +01:00
FRIGN
e5b5497773 Add UTF-8-support to strings(1), add t-flag and refactor code
Previously, the string-length was limited to BUFSIZ, which is an
obvious deficiency.
Now the buffer only needs to be as long as the user specifies the
minimal string length.
I added UTF-8-support, because that's how POSIX wants it and there
are cases where you need this. It doesn't add ELF-barf compared to
the previous implementation.
The t-flag is also pretty important for POSIX-compliance, so I added
it.
The only trouble previously was the a-flag, but given that POSIX
leaves undefined what the a-flag actually does, we set it as default
and don't care about parsing ELF-headers, which has already
turned out to be a security issue in GNU coreutils[0].

[0]: http://lcamtuf.blogspot.ro/2014/10/psa-dont-run-strings-on-untrusted-files.html
2015-02-17 17:04:36 +01:00
sin
4904f26e5d strings: Remember to include limits.h for INT_MAX 2015-02-17 13:50:10 +00:00
sin
d8a89002d3 strings: Add -n len support 2015-02-17 13:46:48 +00:00
sin
8ce6d7091a strings: Default to -a 2015-02-17 13:40:36 +00:00
FRIGN
31572c8b0e Clean up #includes 2015-02-14 21:12:23 +01:00
sin
aabcb69991 Respect exit status in strings(1) and update manpage 2014-11-23 12:44:38 +00:00
FRIGN
7d2683ddf2 Sort includes and more cleanup and fixes in util/ 2014-11-14 10:54:10 +00:00
FRIGN
eee98ed3a4 Fix coding style
It was about damn time. Consistency is very important in such a
big codebase.
2014-11-13 18:08:43 +00:00
sin
0c5b7b9155 Stop using EXIT_{SUCCESS,FAILURE} 2014-10-02 23:46:59 +01:00
sin
b8edf3b4ee Add weprintf() and replace fprintf(stderr, ...) calls
There is still some programs left to be updated for this.

Many of these programs would stop on the first file that they
could not open.
2013-11-13 11:41:43 +00:00
sin
12ad81fa24 Allow strings(1) to operate on more than one file 2013-10-10 16:05:05 +01:00
sin
b5a511dacf Exit with EXIT_SUCCESS/EXIT_FAILURE instead of 0 and 1
Fixed for consistency purposes.
2013-10-07 16:44:22 +01:00
sin
0ed2a55003 Add strings(1) 2013-10-05 14:58:55 +01:00