Commit graph

19 commits

Author SHA1 Message Date
Peter Jones
d5a32255de misc: Make grub_strtol() "end" pointers have safer const qualifiers
Currently the string functions grub_strtol(), grub_strtoul(), and
grub_strtoull() don't declare the "end" pointer in such a way as to
require the pointer itself or the character array to be immutable to the
implementation, nor does the C standard do so in its similar functions,
though it does require us not to change any of it.

The typical declarations of these functions follow this pattern:

long
strtol(const char * restrict nptr, char ** restrict endptr, int base);

Much of the reason for this is historic, and a discussion of that
follows below, after the explanation of this change.  (GRUB currently
does not include the "restrict" qualifiers, and we name the arguments a
bit differently.)

The implementation is semantically required to treat the character array
as immutable, but such accidental modifications aren't stopped by the
compiler, and the semantics for both the callers and the implementation
of these functions are sometimes also helped by adding that requirement.

This patch changes these declarations to follow this pattern instead:

long
strtol(const char * restrict nptr,
       const char ** const restrict endptr,
       int base);

This means that if any modification to these functions accidentally
introduces either an errant modification to the underlying character
array, or an accidental assignment to endptr rather than *endptr, the
compiler should generate an error.  (The two uses of "restrict" in this
case basically mean strtol() isn't allowed to modify the character array
by going through *endptr, and endptr isn't allowed to point inside the
array.)

It also means the typical use case changes to:

  char *s = ...;
  const char *end;
  long l;

  l = strtol(s, &end, 10);

Or even:

  const char *p = str;
  while (p && *p) {
	  long l = strtol(p, &p, 10);
	  ...
  }

This fixes 26 places where we discard our attempts at treating the data
safely by doing:

  const char *p = str;
  long l;

  l = strtol(p, (char **)&ptr, 10);

It also adds 5 places where we do:

  char *p = str;
  while (p && *p) {
	  long l = strtol(p, (const char ** const)&p, 10);
	  ...
	  /* more calls that need p not to be pointer-to-const */
  }

While moderately distasteful, this is a better problem to have.

With one minor exception, I have tested that all of this compiles
without relevant warnings or errors, and that /much/ of it behaves
correctly, with gcc 9 using 'gcc -W -Wall -Wextra'.  The one exception
is the changes in grub-core/osdep/aros/hostdisk.c , which I have no idea
how to build.

Because the C standard defined type-qualifiers in a way that can be
confusing, in the past there's been a slow but fairly regular stream of
churn within our patches, which add and remove the const qualifier in many
of the users of these functions.  This change should help avoid that in
the future, and in order to help ensure this, I've added an explanation
in misc.h so that when someone does get a compiler warning about a type
error, they have the fix at hand.

The reason we don't have "const" in these calls in the standard is
purely anachronistic: C78 (de facto) did not have type qualifiers in the
syntax, and the "const" type qualifier was added for C89 (I think; it
may have been later).  strtol() appears to date from 4.3BSD in 1986,
which means it could not be added to those functions in the standard
without breaking compatibility, which is usually avoided.

The syntax chosen for type qualifiers is what has led to the churn
regarding usage of const, and is especially confusing on string
functions due to the lack of a string type.  Quoting from C99, the
syntax is:

 declarator:
  pointer[opt] direct-declarator
 direct-declarator:
  identifier
  ( declarator )
  direct-declarator [ type-qualifier-list[opt] assignment-expression[opt] ]
  ...
  direct-declarator [ type-qualifier-list[opt] * ]
  ...
 pointer:
  * type-qualifier-list[opt]
  * type-qualifier-list[opt] pointer
 type-qualifier-list:
  type-qualifier
  type-qualifier-list type-qualifier
 ...
 type-qualifier:
  const
  restrict
  volatile

So the examples go like:

const char foo;			// immutable object
const char *foo;		// mutable pointer to object
char * const foo;		// immutable pointer to mutable object
const char * const foo;		// immutable pointer to immutable object
const char const * const foo; 	// XXX extra const keyword in the middle
const char * const * const foo; // immutable pointer to immutable
				//   pointer to immutable object
const char ** const foo;	// immutable pointer to mutable pointer
				//   to immutable object

Making const left-associative for * and right-associative for everything
else may not have been the best choice ever, but here we are, and the
inevitable result is people using trying to use const (as they should!),
putting it at the wrong place, fighting with the compiler for a bit, and
then either removing it or typecasting something in a bad way.  I won't
go into describing restrict, but its syntax has exactly the same issue
as with const.

Anyway, the last example above actually represents the *behavior* that's
required of strtol()-like functions, so that's our choice for the "end"
pointer.

Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2020-02-28 12:41:29 +01:00
Colin Watson
f8f35acb5b syslinux: Fix syslinux_test in out-of-tree builds
syslinux_parse simplifies some filenames by removing things like ".."
segments, but the tests assumed that @abs_top_srcdir@ would be
untouched, which is not true in the case of out-of-tree builds where
@abs_top_srcdir@ may contain ".." segments.

Performing the substitution requires some awkwardness in Makefile.am due
to details of how config.status works.

Signed-off-by: Colin Watson <cjwatson@ubuntu.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2019-03-05 10:27:53 +01:00
Vladimir Serbinenko
ca0a4f689a verifiers: File type for fine-grained signature-verification controlling
Let's provide file type info to the I/O layer. This way verifiers
framework and its users will be able to differentiate files and verify
only required ones.

This is preparatory patch.

Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
2018-11-09 13:25:31 +01:00
Andrei Borzenkov
48cd9dc104 syslinux_parse: assorted issues found by Coverity
1. Remove unneeded NULL check
CID: 96607

2. Do not allocate storage for initrd, copy it directly from input
buffer. Avoids memory leak in failure path.
CID: 96604

3. Unchecked error return from print()
CID: 96601, 73595
2015-06-19 18:38:25 +03:00
Andrei Borzenkov
8067fe28ed syslinux_parse: make print_escaped actually stop before `to'
The only current user is mboot.c32 which unfortunately is not covered
by regression tests.
2015-06-19 17:35:17 +03:00
Lunar
c9ee9bedef syslinux: Support {vesa,}menu.c32. 2015-03-27 15:15:13 +01:00
Vladimir Serbinenko
dc06aa949b syslinux_parse: Fix the case of unknown localboot.
Reported by: Jordan Uggla
2015-03-04 14:19:29 +01:00
Vladimir Serbinenko
e29af836d0 Don't remove initrd= parameter.
Based on simplified patch by Lunar.

Reported by: Lunar
2015-02-16 15:56:26 +01:00
Vladimir Serbinenko
b23635fcff syslinux_parse: Always output comments even if no entries are found. 2015-02-16 10:54:20 +01:00
Andrei Borzenkov
2efab86d5a syslinux_parse: fix memory leak.
Found by: Coverity scan.
2015-01-28 20:09:25 +03:00
Vladimir Serbinenko
49978c5c4f lib/syslinux_parse: Add missing error check.
Found by: Coverity scan.
2015-01-26 09:42:04 +01:00
Vladimir Serbinenko
ca7c1fd6f3 lib/syslinux_parse: Fix memory leak.
Found by: Coveriy scan.
2015-01-26 09:41:43 +01:00
Vladimir Serbinenko
aa64393144 lib/syslinux_parse: Add missing alloc check.
Found by: Coverity scan.
2015-01-26 09:40:42 +01:00
Vladimir Serbinenko
59d4036594 Replace explicit sizeof divisions by ARRAY_SIZE. 2015-01-21 17:37:31 +01:00
Andrei Borzenkov
dbbac5a04c grub-core/lib/syslinux_parse.c: do not free array
say->msg is inline array in a structure and should not be freed.
CID: 73610
2014-11-30 18:49:14 +03:00
Vladimir Serbinenko
a72fc329eb * grub-core/lib/syslinux_parse.c: Fix timeout quoting. 2014-04-06 00:44:44 +02:00
Vladimir Serbinenko
1962ed95cc * grub-core/lib/syslinux_parse.c: Declare timeout unsigned. 2013-12-18 12:29:30 +01:00
Vladimir Serbinenko
a43b3e5d8e Silence spurious warning. 2013-12-18 06:19:16 +01:00
Vladimir Serbinenko
8f5add13ff Implement syslinux parser. 2013-12-18 05:28:05 +01:00