2000-02-03 07:47:50 +03:00
/*
2002-01-30 09:08:46 +03:00
Unix SMB / CIFS implementation .
2000-02-03 07:47:50 +03:00
Safe string handling routines .
Copyright ( C ) Andrew Tridgell 1994 - 1998
2003-03-22 16:47:42 +03:00
Copyright ( C ) Andrew Bartlett < abartlet @ samba . org > 2003
2000-02-03 07:47:50 +03:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 23:25:36 +04:00
the Free Software Foundation ; either version 3 of the License , or
2000-02-03 07:47:50 +03:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 04:52:41 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2000-02-03 07:47:50 +03:00
*/
# ifndef _SAFE_STRING_H
# define _SAFE_STRING_H
2002-02-16 22:44:18 +03:00
# ifndef _SPLINT_ /* http://www.splint.org */
/* Some macros to ensure people don't use buffer overflow vulnerable string
functions . */
2002-02-26 20:40:43 +03:00
# ifdef bcopy
# undef bcopy
# endif /* bcopy */
# define bcopy(src,dest,size) __ERROR__XX__NEVER_USE_BCOPY___;
2000-02-03 07:47:50 +03:00
# ifdef strcpy
# undef strcpy
# endif /* strcpy */
# define strcpy(dest,src) __ERROR__XX__NEVER_USE_STRCPY___;
# ifdef strcat
# undef strcat
# endif /* strcat */
# define strcat(dest,src) __ERROR__XX__NEVER_USE_STRCAT___;
# ifdef sprintf
# undef sprintf
# endif /* sprintf */
# define sprintf __ERROR__XX__NEVER_USE_SPRINTF__;
2003-10-23 03:38:20 +04:00
/*
* strcasecmp / strncasecmp aren ' t an error , but it means you ' re not thinking about
* multibyte . Don ' t use them . JRA .
*/
# ifdef strcasecmp
# undef strcasecmp
# endif
# define strcasecmp __ERROR__XX__NEVER_USE_STRCASECMP__;
# ifdef strncasecmp
# undef strncasecmp
# endif
2004-06-22 04:48:59 +04:00
# define strncasecmp __ERROR__XX__NEVER_USE_STRNCASECMP__;
2003-10-23 03:38:20 +04:00
2002-02-16 22:44:18 +03:00
# endif /* !_SPLINT_ */
2003-03-18 04:48:11 +03:00
/* We need a number of different prototypes for our
non - existant fuctions */
2003-01-14 11:53:59 +03:00
char * __unsafe_string_function_usage_here__ ( void ) ;
2003-03-18 04:48:11 +03:00
size_t __unsafe_string_function_usage_here_size_t__ ( void ) ;
2003-01-14 11:53:59 +03:00
2003-03-18 04:48:11 +03:00
size_t __unsafe_string_function_usage_here_char__ ( void ) ;
2003-01-14 11:53:59 +03:00
2003-03-18 04:48:11 +03:00
# ifdef HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS
2003-01-14 11:53:59 +03:00
2003-03-18 04:48:11 +03:00
/* if the compiler will optimize out function calls, then use this to tell if we are
have the correct types ( this works only where sizeof ( ) returns the size of the buffer , not
the size of the pointer ) . */
2003-01-14 11:53:59 +03:00
2003-03-18 04:48:11 +03:00
# define CHECK_STRING_SIZE(d, len) (sizeof(d) != (len) && sizeof(d) != sizeof(char *))
2003-01-14 11:53:59 +03:00
2003-03-18 04:48:11 +03:00
# else /* HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS */
2000-02-03 07:47:50 +03:00
2003-03-18 04:48:11 +03:00
# endif /* HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS */
2001-07-04 11:15:53 +04:00
2003-03-18 04:48:11 +03:00
# define safe_strcpy_base(dest, src, base, size) \
safe_strcpy ( dest , src , size - PTR_DIFF ( dest , base ) - 1 )
2003-03-27 08:17:28 +03:00
/* String copy functions - macro hell below adds 'type checking' (limited,
2011-03-22 07:30:43 +03:00
but the best we can do in C ) */
2003-03-18 04:48:11 +03:00
# define fstrcpy(d,s) safe_strcpy((d),(s),sizeof(fstring)-1)
# define fstrcat(d,s) safe_strcat((d),(s),sizeof(fstring)-1)
2003-08-23 05:59:14 +04:00
# define nstrcpy(d,s) safe_strcpy((d), (s),sizeof(nstring)-1)
2004-03-16 00:45:45 +03:00
# define unstrcpy(d,s) safe_strcpy((d), (s),sizeof(unstring)-1)
2003-03-18 04:48:11 +03:00
/* the addition of the DEVELOPER checks in safe_strcpy means we must
* update a lot of code . To make this a little easier here are some
* functions that provide the lengths with less pain */
2003-03-18 14:22:52 +03:00
/* overmalloc_safe_strcpy: DEPRECATED! Used when you know the
* destination buffer is longer than maxlength , but you don ' t know how
* long . This is not a good situation , because we can ' t do the normal
* sanity checks . Don ' t use in new code ! */
2003-03-18 04:48:11 +03:00
2007-12-07 04:16:33 +03:00
# define overmalloc_safe_strcpy(dest,src,maxlength) \
2011-03-22 07:30:43 +03:00
safe_strcpy_fn ( dest , src , maxlength )
2007-12-07 04:16:33 +03:00
2003-03-18 04:48:11 +03:00
# ifdef HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS
/* if the compiler will optimize out function calls, then use this to tell if we are
have the correct types ( this works only where sizeof ( ) returns the size of the buffer , not
the size of the pointer ) . */
2011-03-22 12:57:36 +03:00
# define safe_strcpy(d, s, max_len) \
2003-03-18 04:48:11 +03:00
( CHECK_STRING_SIZE ( d , max_len + 1 ) \
? __unsafe_string_function_usage_here__ ( ) \
2011-03-22 07:30:43 +03:00
: safe_strcpy_fn ( ( d ) , ( s ) , ( max_len ) ) )
2003-03-18 04:48:11 +03:00
2011-03-22 12:57:36 +03:00
# define safe_strcat(d, s, max_len) \
2003-03-18 04:48:11 +03:00
( CHECK_STRING_SIZE ( d , max_len + 1 ) \
? __unsafe_string_function_usage_here__ ( ) \
2011-03-22 07:30:43 +03:00
: safe_strcat_fn ( ( d ) , ( s ) , ( max_len ) ) )
2003-03-18 04:48:11 +03:00
2011-03-22 12:57:36 +03:00
# define push_string_check(dest, src, dest_len, flags) \
2003-03-18 04:48:11 +03:00
( CHECK_STRING_SIZE ( dest , dest_len ) \
? __unsafe_string_function_usage_here_size_t__ ( ) \
2011-03-22 07:30:43 +03:00
: push_string_check_fn ( dest , src , dest_len , flags ) )
2003-03-18 04:48:11 +03:00
2011-03-22 12:57:36 +03:00
# define pull_string_talloc(ctx, base_ptr, smb_flags2, dest, src, src_len, flags) \
2011-03-22 07:30:43 +03:00
pull_string_talloc_fn ( ctx , base_ptr , smb_flags2 , dest , src , src_len , flags )
2007-07-13 05:22:09 +04:00
2011-03-22 12:57:36 +03:00
# define clistr_push(cli, dest, src, dest_len, flags) \
2003-03-18 04:48:11 +03:00
( CHECK_STRING_SIZE ( dest , dest_len ) \
? __unsafe_string_function_usage_here_size_t__ ( ) \
2011-03-22 07:30:43 +03:00
: clistr_push_fn ( cli , dest , src , dest_len , flags ) )
2003-03-18 04:48:11 +03:00
2011-03-22 12:57:36 +03:00
# define clistr_pull(inbuf, dest, src, dest_len, srclen, flags) \
2003-03-18 04:48:11 +03:00
( CHECK_STRING_SIZE ( dest , dest_len ) \
? __unsafe_string_function_usage_here_size_t__ ( ) \
2011-03-22 07:30:43 +03:00
: clistr_pull_fn ( inbuf , dest , src , dest_len , srclen , flags ) )
2003-03-18 04:48:11 +03:00
2011-03-22 12:57:36 +03:00
# define srvstr_push(base_ptr, smb_flags2, dest, src, dest_len, flags) \
2003-03-22 16:47:42 +03:00
( CHECK_STRING_SIZE ( dest , dest_len ) \
? __unsafe_string_function_usage_here_size_t__ ( ) \
2011-03-22 07:30:43 +03:00
: srvstr_push_fn ( base_ptr , smb_flags2 , dest , src , dest_len , flags ) )
2003-03-22 16:47:42 +03:00
2011-03-22 13:03:59 +03:00
/* This allows the developer to choose to check the arguments to
strlcpy . if the compiler will optimize out function calls , then
use this to tell if we are have the correct size buffer ( this works only
where sizeof ( ) returns the size of the buffer , not the size of the
pointer ) , so stack and static variables only */
# define checked_strlcpy(dest, src, size) \
( sizeof ( dest ) ! = ( size ) \
? __unsafe_string_function_usage_here_size_t__ ( ) \
: strlcpy ( dest , src , size ) )
2003-03-18 04:48:11 +03:00
# else
2011-03-22 12:57:36 +03:00
# define safe_strcpy safe_strcpy_fn
# define safe_strcat safe_strcat_fn
# define push_string_check push_string_check_fn
# define pull_string_talloc pull_string_talloc_fn
# define clistr_push clistr_push_fn
# define clistr_pull clistr_pull_fn
# define srvstr_push srvstr_push_fn
2011-03-22 13:03:59 +03:00
# define checked_strlcpy strlcpy
2003-03-18 04:48:11 +03:00
# endif
2000-02-03 07:47:50 +03:00
# endif
