lib/string: Add strscpy_pad() function

We have a function to copy strings safely and we have a function to copy strings and zero the tail of the destination (if source string is shorter than destination buffer) but we do not have a function to do both at once. This means developers must write this themselves if they desire this functionality. This is a chore, and also leaves us open to off by one errors unnecessarily. Add a function that calls strscpy() then memset()s the tail to zero if the source string is shorter than the destination buffer. Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Tobin C. Harding <tobin@kernel.org> Signed-off-by: Shuah Khan <shuah@kernel.org>
author: Tobin C. Harding <tobin@kernel.org> 2019-04-04 21:58:58 -0400
committer: Shuah Khan <shuah@kernel.org> 2019-04-08 18:44:21 -0400
commit: 458a3bf82df4fe1f951d0f52b1e0c1e9d5a88a3b (patch)
tree: 4d9df5df245f8f068f6624bbf6cf308784c90a94 /lib/string.c
parent: 6b1a4d5b1a26ae830d50e08d7b3ca0e8b3e6b453 (diff)
1 files changed, 40 insertions, 7 deletions
diff --git a/lib/string.c b/lib/string.c
index 3ab861c1a857..6016eb3ac73d 100644
--- a/lib/string.c
+++ b/lib/string.c
@@ -159,11 +159,9 @@ EXPORT_SYMBOL(strlcpy);
 * @src: Where to copy the string from
 * @count: Size of destination buffer
 *
- * Copy the string, or as much of it as fits, into the dest buffer.
+ * Copy the string, or as much of it as fits, into the dest buffer.  The
- * The routine returns the number of characters copied (not including
+ * behavior is undefined if the string buffers overlap.  The destination
- * the trailing NUL) or -E2BIG if the destination buffer wasn't big enough.
+ * buffer is always NUL terminated, unless it's zero-sized.
- * The behavior is undefined if the string buffers overlap.
- * The destination buffer is always NUL terminated, unless it's zero-sized.
 *
 * Preferred to strlcpy() since the API doesn't require reading memory
 * from the src string beyond the specified "count" bytes, and since
@@ -173,8 +171,10 @@ EXPORT_SYMBOL(strlcpy);
 *
 * Preferred to strncpy() since it always returns a valid string, and
 * doesn't unnecessarily force the tail of the destination buffer to be
- * zeroed.  If the zeroing is desired, it's likely cleaner to use strscpy()
+ * zeroed.  If zeroing is desired please use strscpy_pad().
- * with an overflow test, then just memset() the tail of the dest buffer.
+ *
+ * Return: The number of characters copied (not including the trailing
+ *         %NUL) or -E2BIG if the destination buffer wasn't big enough.
 */
 ssize_t strscpy(char *dest, const char *src, size_t count)
 {
@@ -237,6 +237,39 @@ ssize_t strscpy(char *dest, const char *src, size_t count)
 EXPORT_SYMBOL(strscpy);
 #endif
+/**
+ * strscpy_pad() - Copy a C-string into a sized buffer
+ * @dest: Where to copy the string to
+ * @src: Where to copy the string from
+ * @count: Size of destination buffer
+ *
+ * Copy the string, or as much of it as fits, into the dest buffer.  The
+ * behavior is undefined if the string buffers overlap.  The destination
+ * buffer is always %NUL terminated, unless it's zero-sized.
+ *
+ * If the source string is shorter than the destination buffer, zeros
+ * the tail of the destination buffer.
+ *
+ * For full explanation of why you may want to consider using the
+ * 'strscpy' functions please see the function docstring for strscpy().
+ *
+ * Return: The number of characters copied (not including the trailing
+ *         %NUL) or -E2BIG if the destination buffer wasn't big enough.
+ */
+ssize_t strscpy_pad(char *dest, const char *src, size_t count)
+{
+        ssize_t written;
+        written = strscpy(dest, src, count);
+        if (written < 0 || written == count - 1)
+                return written;
+        memset(dest + written + 1, 0, count - written - 1);
+        return written;
+}
+EXPORT_SYMBOL(strscpy_pad);
 #ifndef __HAVE_ARCH_STRCAT
 /**
 * strcat - Append one %NUL-terminated string to another
author	Tobin C. Harding <tobin@kernel.org>	2019-04-04 21:58:58 -0400
committer	Shuah Khan <shuah@kernel.org>	2019-04-08 18:44:21 -0400
commit	458a3bf82df4fe1f951d0f52b1e0c1e9d5a88a3b (patch)
tree	4d9df5df245f8f068f6624bbf6cf308784c90a94 /lib/string.c
parent	6b1a4d5b1a26ae830d50e08d7b3ca0e8b3e6b453 (diff)

diff --git a/lib/string.c b/lib/string.c index 3ab861c1a857..6016eb3ac73d 100644 --- a/lib/string.c +++ b/lib/string.c
@@ -159,11 +159,9 @@ EXPORT_SYMBOL(strlcpy);
159	* @src: Where to copy the string from	159	* @src: Where to copy the string from
160	* @count: Size of destination buffer	160	* @count: Size of destination buffer
161	*	161	*
162	* Copy the string, or as much of it as fits, into the dest buffer.	162	* Copy the string, or as much of it as fits, into the dest buffer. The
163	* The routine returns the number of characters copied (not including	163	* behavior is undefined if the string buffers overlap. The destination
164	* the trailing NUL) or -E2BIG if the destination buffer wasn't big enough.	164	* buffer is always NUL terminated, unless it's zero-sized.
165	* The behavior is undefined if the string buffers overlap.
166	* The destination buffer is always NUL terminated, unless it's zero-sized.
167	*	165	*
168	* Preferred to strlcpy() since the API doesn't require reading memory	166	* Preferred to strlcpy() since the API doesn't require reading memory
169	* from the src string beyond the specified "count" bytes, and since	167	* from the src string beyond the specified "count" bytes, and since
@@ -173,8 +171,10 @@ EXPORT_SYMBOL(strlcpy);
173	*	171	*
174	* Preferred to strncpy() since it always returns a valid string, and	172	* Preferred to strncpy() since it always returns a valid string, and
175	* doesn't unnecessarily force the tail of the destination buffer to be	173	* doesn't unnecessarily force the tail of the destination buffer to be
176	* zeroed. If the zeroing is desired, it's likely cleaner to use strscpy()	174	* zeroed. If zeroing is desired please use strscpy_pad().
177	* with an overflow test, then just memset() the tail of the dest buffer.	175	*
		176	* Return: The number of characters copied (not including the trailing
		177	* %NUL) or -E2BIG if the destination buffer wasn't big enough.
178	*/	178	*/
179	ssize_t strscpy(char dest, const char src, size_t count)	179	ssize_t strscpy(char dest, const char src, size_t count)
180	{	180	{
@@ -237,6 +237,39 @@ ssize_t strscpy(char dest, const char src, size_t count)
237	EXPORT_SYMBOL(strscpy);	237	EXPORT_SYMBOL(strscpy);
238	#endif	238	#endif
239		239
		240	/**
		241	* strscpy_pad() - Copy a C-string into a sized buffer
		242	* @dest: Where to copy the string to
		243	* @src: Where to copy the string from
		244	* @count: Size of destination buffer
		245	*
		246	* Copy the string, or as much of it as fits, into the dest buffer. The
		247	* behavior is undefined if the string buffers overlap. The destination
		248	* buffer is always %NUL terminated, unless it's zero-sized.
		249	*
		250	* If the source string is shorter than the destination buffer, zeros
		251	* the tail of the destination buffer.
		252	*
		253	* For full explanation of why you may want to consider using the
		254	* 'strscpy' functions please see the function docstring for strscpy().
		255	*
		256	* Return: The number of characters copied (not including the trailing
		257	* %NUL) or -E2BIG if the destination buffer wasn't big enough.
		258	*/
		259	ssize_t strscpy_pad(char dest, const char src, size_t count)
		260	{
		261	ssize_t written;
		262
		263	written = strscpy(dest, src, count);
		264	if (written < 0 \|\| written == count - 1)
		265	return written;
		266
		267	memset(dest + written + 1, 0, count - written - 1);
		268
		269	return written;
		270	}
		271	EXPORT_SYMBOL(strscpy_pad);
		272
240	#ifndef __HAVE_ARCH_STRCAT	273	#ifndef __HAVE_ARCH_STRCAT
241	/**	274	/**
242	* strcat - Append one %NUL-terminated string to another	275	* strcat - Append one %NUL-terminated string to another