Bug 2769 - String truncation warnings in fmt_scaled
Summary: String truncation warnings in fmt_scaled
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sftp (show other bugs)
Version: -current
Hardware: Other Linux
: P5 normal
Assignee: Damien Miller
URL:
Keywords:
Depends on:
Blocks: V_7_8
  Show dependency treegraph
 
Reported: 2017-08-26 21:43 AEST by Colin Watson
Modified: 2018-10-19 17:17 AEDT (History)
2 users (show)

See Also:


Attachments
Help compiler prove that fmt_scaled snprintf fits (983 bytes, patch)
2017-08-26 21:43 AEST, Colin Watson
no flags Details | Diff
with 100% less assert(3) (575 bytes, patch)
2018-04-13 13:54 AEST, Damien Miller
dtucker: ok+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Colin Watson 2017-08-26 21:43:31 AEST
Created attachment 3042 [details]
Help compiler prove that fmt_scaled snprintf fits

fmt_scaled.c: In function ‘fmt_scaled’:
fmt_scaled.c:269:52: warning: ‘%1lld’ directive output may be truncated writing between 1 and 17 bytes into a region of size between 0 and 5 [-Wformat-truncation=]
   (void)snprintf(result, FMT_SCALED_STRSIZE, "%lld.%1lld%c",
                                                    ^~~~~
fmt_scaled.c:269:46: note: directive argument in the range [-9007199254740992, 9007199254740991]
   (void)snprintf(result, FMT_SCALED_STRSIZE, "%lld.%1lld%c",
                                              ^~~~~~~~~~~~~~
In file included from /usr/include/stdio.h:938:0,
                 from /usr/include/bsd/libutil.h:46,
                 from ../includes.h:141,
                 from fmt_scaled.c:41:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output between 5 and 40 bytes into a destination of size 7
   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        __bos (__s), __fmt, __va_arg_pack ());
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This is actually OK, I think, but the compiler can't quite prove it.  The attached patch helps it do so by syncing up a condition with the nearby comment and by adding an assertion.
Comment 1 Darren Tucker 2017-08-27 10:33:37 AEST
this function comes from OpenBSD's libutil and I'll have to see what the policy on asserts in that is.
Comment 2 Colin Watson 2017-08-27 16:12:50 AEST
If you can't do an assertion, then some approach like "if (fract < 0) fall_over;" should have a similar effect in terms of allowing the compiler to deduce correct bounds on fract.
Comment 3 Damien Miller 2018-04-06 13:12:12 AEST
Move to OpenSSH 7.8 tracking bug
Comment 4 Damien Miller 2018-04-13 13:54:46 AEST
Created attachment 3141 [details]
with 100% less assert(3)

This one does it without assert, by clamping fract to [0, 10).
Comment 5 Damien Miller 2018-06-01 13:36:49 AEST
This is fixed in HEAD and will be in OpenSSH 7.8:

commit 32e4e94e1511fe0020fbfbb62399d31b2d22a801
Author: Damien Miller <djm@mindrot.org>
Date:   Mon May 14 14:40:08 2018 +1000

    sync fmt_scaled.c
    
    revision 1.17
    date: 2018/05/14 04:39:04;  author: djm;  state: Exp;  lines: +5 -2;
    commitid: 53zY8GjViUBnWo8Z;
    constrain fractional part to [0-9] (less confusing to static analysis); ok ian@
Comment 6 Damien Miller 2018-10-19 17:17:27 AEDT
Close RESOLVED bugs with the release of openssh-8.0