From: Jeff King <peff@peff.net>
To: Jonathan Nieder <jrnieder@gmail.com>
Cc: demerphq <demerphq@gmail.com>, Git <git@vger.kernel.org>,
"Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
Subject: Re: [PATCH 2/7] get-tar-commit-id: check write_in_full() return against 0
Date: Wed, 13 Sep 2017 14:02:33 -0400 [thread overview]
Message-ID: <20170913180232.luxcnx7fbcpbt7bw@sigill.intra.peff.net> (raw)
In-Reply-To: <20170913175357.GC27425@aiede.mtv.corp.google.com>
On Wed, Sep 13, 2017 at 10:53:57AM -0700, Jonathan Nieder wrote:
> Jeff King wrote:
>
> > We ask to write 41 bytes and make sure that the return value
> > is at least 41. This is the same "dangerous" pattern that
> > was fixed in the prior commit (wherein a negative return
> > value is promoted to unsigned), though it is not dangerous
> > here because our "41" is a constant, not an unsigned
> > variable.
> >
> > But we should convert it anyway to avoid modeling a
> > dangerous construct.
>
> If the above logic is correct, then I suspect this series does not go
> far enough. write_in_full() would be one of those APIs that is easy
> to misuse and difficult to use correctly, and if so we should fix that
> at the source instead of trying to teach callers not to hold it wrong.
Yes, this series is just removing bad examples. It doesn't do anything
to make write_in_full() less potentially dangerous.
On the other hand, it's no more or less dangerous than write(), which
has the same return-value semantics.
> E.g. what would you think of
>
> 1. Introduce a write_fully (sorry, I am bad at names) function
> that returns 0 on success and a coccinelle semantic patch in
> contrib/coccinelle to migrate callers in "make coccicheck":
Yes, I considered that, though some callers really do care about
assigning the number of bytes written. The fact that write() has the
same problem, plus the fact that there were only 2 buggy instances
across the code base made me think there's not a huge gain to that extra
step.
> @@
> expression E;
> expression F;
> expression G;
> @@
> -write_in_full(E, F, G) < G
> +write_fully(E, F, G)
>
> 2. Run "make coccicheck" and apply the result.
> 3. Remove the write_in_full function.
There's a step between those where you have to update all of the
write_in_full() callers that store the result. Some of them would be
trivial conversions, but some of them actually care about the length
E.g., the one in imap-send.c, which is the only one I didn't convert
away from "!= len" because it's half of an #ifdef with SSL_write()
(which uses an "int" as the return value!).
> Does read_in_full need a similar treatment?
It might actually return fewer than the requested number of bytes, so it
can't just use "< 0" in the same way (nor be adapted to return 0 on
success). But I think it's still a bug to do:
char buf[20];
size_t len = sizeof(buf);
if (read_in_full(fd, buf, len) < len)
die(...);
since that will promote the -1 to a size_t. So it's probably worth
auditing.
-Peff
next prev parent reply other threads:[~2017-09-13 18:02 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-13 11:59 Bug: git branch --unset-upstream command can nuke config when disk is full demerphq
2017-09-13 12:34 ` Jeff King
2017-09-13 13:38 ` demerphq
2017-09-13 14:17 ` Jeff King
2017-09-13 14:49 ` demerphq
2017-09-13 14:51 ` Jeff King
2017-09-13 15:18 ` demerphq
2017-09-13 15:22 ` Jeff King
2017-09-13 15:49 ` demerphq
2017-09-13 17:08 ` [PATCH 0/7] config.c may fail to notice some write() failures Jeff King
2017-09-13 17:11 ` [PATCH 1/7] config: avoid "write_in_full(fd, buf, len) < len" pattern Jeff King
2017-09-13 17:47 ` Jonathan Nieder
2017-09-13 17:53 ` Jeff King
2017-09-13 17:59 ` Jonathan Nieder
2017-09-13 18:11 ` Jeff King
2017-09-13 18:15 ` [PATCH v2] " Jeff King
2017-09-13 18:24 ` Jonathan Nieder
2017-09-13 18:58 ` Jeff King
2017-09-13 19:18 ` Jonathan Nieder
2017-09-13 19:49 ` Jonathan Nieder
2017-09-13 22:43 ` Ramsay Jones
2017-09-13 23:31 ` Ramsay Jones
2017-09-15 0:37 ` Jeff King
2017-09-15 15:15 ` Ramsay Jones
2017-09-13 21:33 ` Junio C Hamano
2017-09-13 17:11 ` [PATCH 2/7] get-tar-commit-id: check write_in_full() return against 0 Jeff King
2017-09-13 17:53 ` Jonathan Nieder
2017-09-13 18:02 ` Jeff King [this message]
2017-09-13 18:37 ` Jeff King
2017-09-13 21:09 ` Jonathan Nieder
2017-09-15 0:40 ` Jeff King
2017-09-13 17:16 ` [PATCH 3/7] avoid "write_in_full(fd, buf, len) != len" pattern Jeff King
2017-09-13 21:14 ` Jonathan Nieder
2017-09-15 0:42 ` Jeff King
2017-09-13 17:16 ` [PATCH 4/7] convert less-trivial versions of "write_in_full() != len" Jeff King
2017-09-13 21:16 ` Jonathan Nieder
2017-09-13 17:17 ` [PATCH 5/7] pkt-line: check write_in_full() errors against "< 0" Jeff King
2017-09-13 21:17 ` Jonathan Nieder
2017-09-13 17:17 ` [PATCH 6/7] notes-merge: use ssize_t for write_in_full() return value Jeff King
2017-09-13 21:20 ` Jonathan Nieder
2017-09-15 0:43 ` Jeff King
2017-09-13 17:17 ` [PATCH 7/7] config: flip return value of store_write_*() Jeff King
2017-09-13 21:25 ` Jonathan Nieder
2017-09-15 0:46 ` Jeff King
2017-09-13 18:47 ` [PATCH 8/7] read_pack_header: handle signed/unsigned comparison in read result Jeff King
2017-09-13 19:11 ` Jonathan Nieder
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170913180232.luxcnx7fbcpbt7bw@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=avarab@gmail.com \
--cc=demerphq@gmail.com \
--cc=git@vger.kernel.org \
--cc=jrnieder@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).