Gitiles
Code Review Sign In
gerrit.omnirom.org / android_bionic / 8df49ad2467ec2d48f94a925162185c34bf6e68b^! / . / libc / include / string.h
commit8df49ad2467ec2d48f94a925162185c34bf6e68b[log] [tgz]
authorNick Kralevich <nnk@google.com>Wed Jun 13 16:57:27 2012 -0700
committerNick Kralevich <nnk@google.com>Thu Jun 14 12:52:42 2012 -0700
tree00161cd65c6292eebd000699534b554b2c52be0a
parent4442d512c66aa32a26fe2e652e55ad05249ea3da [diff] [blame]
FORTIFY_SOURCE: add strlcpy / strlcat support

Add strlcpy / strlcat support to FORTIFY_SOURCE. This allows
us to do consistency checks on to ensure we don't overflow buffers
when the compiler is able to tell us the size of the buffer we're
dealing with.

Unlike previous changes, this change DOES NOT use the compiler's
builtin support. Instead, we do everything the compiler would
normally do.

Change-Id: I47c099a911382452eafd711f8e9bfe7c2d0a0d22

diff --git a/libc/include/string.h b/libc/include/string.h
index e1718e9..b8f60e4 100644
--- a/libc/include/string.h
+++ b/libc/include/string.h

@@ -122,6 +122,68 @@
     return __builtin___memset_chk(s, c, n, __builtin_object_size (s, 0));
 }
 
+extern size_t strlcpy_real(char *, const char *, size_t)
+    __asm__(__USER_LABEL_PREFIX__ "strlcpy");
+extern void __strlcpy_error()
+    __attribute__((error ("strlcpy called with size bigger than buffer")));
+extern size_t __strlcpy_chk(char *, const char *, size_t, size_t);
+
+__BIONIC_FORTIFY_INLINE
+size_t strlcpy(char *dest, const char *src, size_t size) {
+    size_t bos = __builtin_object_size(dest, 0);
+
+    // Compiler doesn't know destination size. Don't call __strlcpy_chk
+    if (bos == (size_t) -1) {
+        return strlcpy_real(dest, src, size);
+    }
+
+    // Compiler can prove, at compile time, that the passed in size
+    // is always <= the actual object size. Don't call __strlcpy_chk
+    if (__builtin_constant_p(size) && (size <= bos)) {
+        return strlcpy_real(dest, src, size);
+    }
+
+    // Compiler can prove, at compile time, that the passed in size
+    // is always > the actual object size. Force a compiler error.
+    if (__builtin_constant_p(size) && (size > bos)) {
+        __strlcpy_error();
+    }
+
+    return __strlcpy_chk(dest, src, size, bos);
+}
+
+extern size_t strlcat_real(char *, const char *, size_t)
+    __asm__(__USER_LABEL_PREFIX__ "strlcat");
+extern void __strlcat_error()
+    __attribute__((error ("strlcat called with size bigger than buffer")));
+extern size_t __strlcat_chk(char *, const char *, size_t, size_t);
+
+
+__BIONIC_FORTIFY_INLINE
+size_t strlcat(char *dest, const char *src, size_t size) {
+    size_t bos = __builtin_object_size(dest, 0);
+
+    // Compiler doesn't know destination size. Don't call __strlcat_chk
+    if (bos == (size_t) -1) {
+        return strlcat_real(dest, src, size);
+    }
+
+    // Compiler can prove, at compile time, that the passed in size
+    // is always <= the actual object size. Don't call __strlcat_chk
+    if (__builtin_constant_p(size) && (size <= bos)) {
+        return strlcat_real(dest, src, size);
+    }
+
+    // Compiler can prove, at compile time, that the passed in size
+    // is always > the actual object size. Force a compiler error.
+    if (__builtin_constant_p(size) && (size > bos)) {
+        __strlcat_error();
+    }
+
+    return __strlcat_chk(dest, src, size, bos);
+}
+
+
 #endif /* defined(__BIONIC_FORTIFY_INLINE) */
 
 __END_DECLS