X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/89b1a5980cf39a0f34186a4c91c3b316c7b2f831..2ead369f8435918f3f15408b9394e580bcaf0910:/src/src/string.c diff --git a/src/src/string.c b/src/src/string.c index 1b08e7fb8..4d870ec9a 100644 --- a/src/src/string.c +++ b/src/src/string.c @@ -3,7 +3,7 @@ *************************************************/ /* Copyright (c) University of Cambridge 1995 - 2018 */ -/* Copyright (c) The Exim Maintainers 2020 */ +/* Copyright (c) The Exim Maintainers 2020 - 2021 */ /* See the file NOTICE for conditions of use and distribution. */ /* Miscellaneous string-handling functions. Some are not required for @@ -281,27 +281,30 @@ return ch; /* This function is called for critical strings. It checks for any non-printing characters, and if any are found, it makes a new copy of the string with suitable escape sequences. It is most often called by the -macro string_printing(), which sets allow_tab TRUE. +macro string_printing(), which sets flags to 0. Arguments: s the input string - allow_tab TRUE to allow tab as a printing character + flags Bit 0: convert tabs. Bit 1: convert spaces. Returns: string with non-printers encoded as printing sequences */ const uschar * -string_printing2(const uschar *s, BOOL allow_tab) +string_printing2(const uschar *s, int flags) { int nonprintcount = 0; int length = 0; const uschar *t = s; uschar *ss, *tt; -while (*t != 0) +while (*t) { int c = *t++; - if (!mac_isprint(c) || (!allow_tab && c == '\t')) nonprintcount++; + if ( !mac_isprint(c) + || flags & SP_TAB && c == '\t' + || flags & SP_SPACE && c == ' ' + ) nonprintcount++; length++; } @@ -310,17 +313,19 @@ if (nonprintcount == 0) return s; /* Get a new block of store guaranteed big enough to hold the expanded string. */ -ss = store_get(length + nonprintcount * 3 + 1, is_tainted(s)); +tt = ss = store_get(length + nonprintcount * 3 + 1, s); /* Copy everything, escaping non printers. */ -t = s; -tt = ss; - -while (*t != 0) +for (t = s; *t; ) { int c = *t; - if (mac_isprint(c) && (allow_tab || c != '\t')) *tt++ = *t++; else + if ( mac_isprint(c) + && (!(flags & SP_TAB) || c != '\t') + && (!(flags & SP_SPACE) || c != ' ') + ) + *tt++ = *t++; + else { *tt++ = '\\'; switch (*t) @@ -366,7 +371,7 @@ p = Ustrchr(s, '\\'); if (!p) return s; len = Ustrlen(s) + 1; -ss = store_get(len, is_tainted(s)); +ss = store_get(len, s); q = ss; off = p - s; @@ -423,22 +428,18 @@ Returns: copy of string in new store with the same taint status */ uschar * -string_copy_function(const uschar *s) +string_copy_function(const uschar * s) { -return string_copy_taint(s, is_tainted(s)); +return string_copy_taint(s, s); } -/* This function assumes that memcpy() is faster than strcpy(). -As above, but explicitly specifying the result taint status +/* As above, but explicitly specifying the result taint status */ uschar * -string_copy_taint_function(const uschar * s, BOOL tainted) +string_copy_taint_function(const uschar * s, const void * proto_mem) { -int len = Ustrlen(s) + 1; -uschar *ss = store_get(len, tainted); -memcpy(ss, s, len); -return ss; +return string_copy_taint(s, proto_mem); } @@ -458,12 +459,9 @@ Returns: copy of string in new store */ uschar * -string_copyn_function(const uschar *s, int n) +string_copyn_function(const uschar * s, int n) { -uschar *ss = store_get(n + 1, is_tainted(s)); -Ustrncpy(ss, s, n); -ss[n] = 0; -return ss; +return string_copyn(s, n); } #endif @@ -479,10 +477,10 @@ Returns: copy of string in new store */ uschar * -string_copy_malloc(const uschar *s) +string_copy_malloc(const uschar * s) { int len = Ustrlen(s) + 1; -uschar *ss = store_malloc(len); +uschar * ss = store_malloc(len); memcpy(ss, s, len); return ss; } @@ -501,37 +499,37 @@ Returns: pointer to the possibly altered string */ uschar * -string_split_message(uschar *msg) +string_split_message(uschar * msg) { uschar *s, *ss; -if (msg == NULL || Ustrlen(msg) <= 75) return msg; +if (!msg || Ustrlen(msg) <= 75) return msg; s = ss = msg = string_copy(msg); for (;;) { int i = 0; - while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++; - if (*ss == 0) break; + while (i < 75 && *ss && *ss != '\n') ss++, i++; + if (!*ss) break; if (*ss == '\n') s = ++ss; else { - uschar *t = ss + 1; - uschar *tt = NULL; + uschar * t = ss + 1; + uschar * tt = NULL; while (--t > s + 35) { if (*t == ' ') { if (t[-1] == ':') { tt = t; break; } - if (tt == NULL) tt = t; + if (!tt) tt = t; } } - if (tt == NULL) /* Can't split behind - try ahead */ + if (!tt) /* Can't split behind - try ahead */ { t = ss + 1; - while (*t != 0) + while (*t) { if (*t == ' ' || *t == '\n') { tt = t; break; } @@ -539,7 +537,7 @@ for (;;) } } - if (tt == NULL) break; /* Can't find anywhere to split */ + if (!tt) break; /* Can't find anywhere to split */ *tt = '\n'; s = ss = tt+1; } @@ -567,12 +565,12 @@ Returns: copy of string in new store, de-escaped */ uschar * -string_copy_dnsdomain(uschar *s) +string_copy_dnsdomain(uschar * s) { -uschar *yield; -uschar *ss = yield = store_get(Ustrlen(s) + 1, is_tainted(s)); +uschar * yield; +uschar * ss = yield = store_get(Ustrlen(s) + 1, GET_TAINTED); /* always treat as tainted */ -while (*s != 0) +while (*s) { if (*s != '\\') *ss++ = *s++; @@ -581,7 +579,7 @@ while (*s != 0) *ss++ = (s[1] - '0')*100 + (s[2] - '0')*10 + s[3] - '0'; s += 4; } - else if (*(++s) != 0) + else if (*++s) *ss++ = *s++; } @@ -606,15 +604,15 @@ Returns: the new string */ uschar * -string_dequote(const uschar **sptr) +string_dequote(const uschar ** sptr) { -const uschar *s = *sptr; -uschar *t, *yield; +const uschar * s = * sptr; +uschar * t, * yield; /* First find the end of the string */ if (*s != '\"') - while (*s != 0 && !isspace(*s)) s++; + while (*s && !isspace(*s)) s++; else { s++; @@ -628,17 +626,17 @@ else /* Get enough store to copy into */ -t = yield = store_get(s - *sptr + 1, is_tainted(*sptr)); +t = yield = store_get(s - *sptr + 1, *sptr); s = *sptr; /* Do the copy */ if (*s != '\"') - while (*s != 0 && !isspace(*s)) *t++ = *s++; + while (*s && !isspace(*s)) *t++ = *s++; else { s++; - while (*s != 0 && *s != '\"') + while (*s && *s != '\"') { *t++ = *s == '\\' ? string_interpret_escape(&s) : *s; s++; @@ -666,13 +664,15 @@ everything. Taint is taken from the worst of the arguments. Arguments: format a printf() format - deliberately char * rather than uschar * because it will most usually be a literal string + func caller, for debug + line caller, for debug ... arguments for format Returns: pointer to fresh piece of store containing sprintf'ed string */ uschar * -string_sprintf_trc(const char *format, const uschar * func, unsigned line, ...) +string_sprintf_trc(const char * format, const uschar * func, unsigned line, ...) { #ifdef COMPILE_UTILITY uschar buffer[STRING_SPRINTF_BUFFER_SIZE]; @@ -720,7 +720,7 @@ Returns: < 0, = 0, or > 0, according to the comparison */ int -strncmpic(const uschar *s, const uschar *t, int n) +strncmpic(const uschar * s, const uschar * t, int n) { while (n--) { @@ -744,9 +744,9 @@ Returns: < 0, = 0, or > 0, according to the comparison */ int -strcmpic(const uschar *s, const uschar *t) +strcmpic(const uschar * s, const uschar * t) { -while (*s != 0) +while (*s) { int c = tolower(*s++) - tolower(*t++); if (c != 0) return c; @@ -770,11 +770,11 @@ Arguments: Returns: pointer to substring in string, or NULL if not found */ -uschar * -strstric(uschar *s, uschar *t, BOOL space_follows) +const uschar * +strstric_c(const uschar * s, const uschar * t, BOOL space_follows) { -uschar *p = t; -uschar *yield = NULL; +const uschar * p = t; +const uschar * yield = NULL; int cl = tolower(*p); int cu = toupper(*p); @@ -782,8 +782,8 @@ while (*s) { if (*s == cl || *s == cu) { - if (yield == NULL) yield = s; - if (*(++p) == 0) + if (!yield) yield = s; + if (!*++p) { if (!space_follows || s[1] == ' ' || s[1] == '\n' ) return yield; yield = NULL; @@ -793,7 +793,7 @@ while (*s) cu = toupper(*p); s++; } - else if (yield != NULL) + else if (yield) { yield = NULL; p = t; @@ -805,6 +805,11 @@ while (*s) return NULL; } +uschar * +strstric(uschar * s, uschar * t, BOOL space_follows) +{ +return US strstric_c(s, t, space_follows); +} #ifdef COMPILE_UTILITY @@ -853,18 +858,24 @@ Arguments: separator a pointer to the separator character in an int (see above) buffer where to put a copy of the next string in the list; or NULL if the next string is returned in new memory + Note that if the list is tainted then a provided buffer must be + also (else we trap, with a message referencing the callsite). + If we do the allocation, taint is handled there. buflen when buffer is not NULL, the size of buffer; otherwise ignored + func caller, for debug + line caller, for debug + Returns: pointer to buffer, containing the next substring, or NULL if no more substrings */ uschar * -string_nextinlist_trc(const uschar **listptr, int *separator, uschar *buffer, int buflen, - const uschar * func, int line) +string_nextinlist_trc(const uschar ** listptr, int * separator, uschar * buffer, + int buflen, const uschar * func, int line) { int sep = *separator; -const uschar *s = *listptr; +const uschar * s = *listptr; BOOL sep_is_special; if (!s) return NULL; @@ -900,6 +911,7 @@ if (!*s) return NULL; sep_is_special = iscntrl(sep); /* Handle the case when a buffer is provided. */ +/*XXX need to also deal with qouted-requirements mismatch */ if (buffer) { @@ -944,9 +956,15 @@ else s = ss; if (!*s || *++s != sep || sep_is_special) break; } - while (g->ptr > 0 && isspace(g->s[g->ptr-1])) g->ptr--; + + /* Trim trailing spaces from the returned string */ + + /* while (g->ptr > 0 && isspace(g->s[g->ptr-1])) g->ptr--; */ + while ( g->ptr > 0 && isspace(g->s[g->ptr-1]) + && (g->ptr == 1 || g->s[g->ptr-2] != '\\') ) + g->ptr--; buffer = string_from_gstring(g); - gstring_release_unused(g); + gstring_release_unused_trc(g, CCS func, line); } /* Update the current pointer and return the new string */ @@ -1070,7 +1088,6 @@ gstring_grow(gstring * g, int count) { int p = g->ptr; int oldsize = g->size; -BOOL tainted = is_tainted(g->s); /* Mostly, string_cat() is used to build small strings of a few hundred characters at most. There are times, however, when the strings are very much @@ -1080,7 +1097,16 @@ existing length of the string. */ unsigned inc = oldsize < 4096 ? 127 : 1023; +if (g->ptr < 0 || g->ptr > g->size || g->size >= INT_MAX/2) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "internal error in gstring_grow (ptr %d size %d)", g->ptr, g->size); + if (count <= 0) return; + +if (count >= INT_MAX/2 - g->ptr) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "internal error in gstring_grow (ptr %d count %d)", g->ptr, count); + g->size = (p + count + inc + 1) & ~inc; /* one for a NUL */ /* Try to extend an existing allocation. If the result of calling @@ -1093,8 +1119,8 @@ is at its start.) However, we can do this only if we know that the old string was the last item on the dynamic memory stack. This is the case if it matches store_last_get. */ -if (!store_extend(g->s, tainted, oldsize, g->size)) - g->s = store_newblock(g->s, tainted, g->size, p); +if (!store_extend(g->s, oldsize, g->size)) + g->s = store_newblock(g->s, g->size, p); } @@ -1109,37 +1135,49 @@ terminated, because the number of characters to add is given explicitly. It is sometimes called to extract parts of other strings. Arguments: - string points to the start of the string that is being built, or NULL - if this is a new string that has no contents yet + g growable-string that is being built, or NULL if not assigned yet s points to characters to add count count of characters to add; must not exceed the length of s, if s is a C string. -Returns: pointer to the start of the string, changed if copied for expansion. +Returns: growable string, changed if copied for expansion. Note that a NUL is not added, though space is left for one. This is because string_cat() is often called multiple times to build up a string - there's no point adding the NUL till the end. + NULL is a possible return. */ /* coverity[+alloc] */ gstring * -string_catn(gstring * g, const uschar *s, int count) +string_catn(gstring * g, const uschar * s, int count) { int p; -BOOL srctaint = is_tainted(s); +if (count < 0) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "internal error in string_catn (count %d)", count); +if (count == 0) return g; + +/*debug_printf("string_catn '%.*s'\n", count, s);*/ if (!g) { unsigned inc = count < 4096 ? 127 : 1023; - unsigned size = ((count + inc) & ~inc) + 1; - g = string_get_tainted(size, srctaint); + unsigned size = ((count + inc) & ~inc) + 1; /* round up requested count */ + g = string_get_tainted(size, s); + } +else if (is_incompatible(g->s, s)) + { +/* debug_printf("rebuf A\n"); */ + gstring_rebuffer(g, s); } -else if (srctaint && !is_tainted(g->s)) - gstring_rebuffer(g); + +if (g->ptr < 0 || g->ptr > g->size) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "internal error in string_catn (ptr %d size %d)", g->ptr, g->size); p = g->ptr; -if (p + count >= g->size) +if (count >= g->size - p) gstring_grow(g, count); /* Because we always specify the exact number of characters to copy, we can @@ -1153,9 +1191,9 @@ return g; gstring * -string_cat(gstring *string, const uschar *s) +string_cat(gstring * g, const uschar * s) { -return string_catn(string, s, Ustrlen(s)); +return string_catn(g, s, Ustrlen(s)); } @@ -1168,30 +1206,29 @@ return string_catn(string, s, Ustrlen(s)); It calls string_cat() to do the dirty work. Arguments: - string expanding-string that is being built, or NULL - if this is a new string that has no contents yet + g growable-string that is being built, or NULL if not yet assigned count the number of strings to append ... "count" uschar* arguments, which must be valid zero-terminated C strings -Returns: pointer to the start of the string, changed if copied for expansion. +Returns: growable string, changed if copied for expansion. The string is not zero-terminated - see string_cat() above. */ __inline__ gstring * -string_append(gstring *string, int count, ...) +string_append(gstring * g, int count, ...) { va_list ap; va_start(ap, count); while (count-- > 0) { - uschar *t = va_arg(ap, uschar *); - string = string_cat(string, t); + uschar * t = va_arg(ap, uschar *); + g = string_cat(g, t); } va_end(ap); -return string; +return g; } #endif @@ -1227,7 +1264,7 @@ BOOL string_format_trc(uschar * buffer, int buflen, const uschar * func, unsigned line, const char * format, ...) { -gstring g = { .size = buflen, .ptr = 0, .s = buffer }, *gp; +gstring g = { .size = buflen, .ptr = 0, .s = buffer }, * gp; va_list ap; va_start(ap, format); gp = string_vformat_trc(&g, func, line, STRING_SPRINTF_BUFFER_SIZE, @@ -1270,13 +1307,12 @@ string, not nul-terminated. gstring * string_vformat_trc(gstring * g, const uschar * func, unsigned line, - unsigned size_limit, unsigned flags, const char *format, va_list ap) + unsigned size_limit, unsigned flags, const char * format, va_list ap) { enum ltypes { L_NORMAL=1, L_SHORT=2, L_LONG=3, L_LONGLONG=4, L_LONGDOUBLE=5, L_SIZE=6 }; int width, precision, off, lim, need; const char * fp = format; /* Deliberately not unsigned */ -BOOL dest_tainted = FALSE; string_datestamp_offset = -1; /* Datestamp not inserted */ string_datestamp_length = 0; /* Datestamp not inserted */ @@ -1289,16 +1325,15 @@ assert(g); /* Ensure we have a string, to save on checking later */ if (!g) g = string_get(16); -else if (!(flags & SVFMT_TAINT_NOCHK)) dest_tainted = is_tainted(g->s); -if (!(flags & SVFMT_TAINT_NOCHK) && !dest_tainted && is_tainted(format)) +if (!(flags & SVFMT_TAINT_NOCHK) && is_incompatible(g->s, format)) { #ifndef MACRO_PREDEF if (!(flags & SVFMT_REBUFFER)) die_tainted(US"string_vformat", func, line); #endif - gstring_rebuffer(g); - dest_tainted = TRUE; +/* debug_printf("rebuf B\n"); */ + gstring_rebuffer(g, format); } #endif /*!COMPILE_UTILITY*/ @@ -1310,7 +1345,7 @@ off = g->ptr; /* remember initial offset in gstring */ while (*fp) { int length = L_NORMAL; - int *nptr; + int * nptr; int slen; const char *null = "NULL"; /* ) These variables */ const char *item_start, *s; /* ) are deliberately */ @@ -1518,12 +1553,12 @@ while (*fp) if (!s) s = null; slen = Ustrlen(s); - if (!(flags & SVFMT_TAINT_NOCHK) && !dest_tainted && is_tainted(s)) + if (!(flags & SVFMT_TAINT_NOCHK) && is_incompatible(g->s, s)) if (flags & SVFMT_REBUFFER) { - gstring_rebuffer(g); +/* debug_printf("%s %d: untainted workarea, tainted %%s :- rebuffer\n", __FUNCTION__, __LINE__); */ + gstring_rebuffer(g, s); gp = CS g->s + g->ptr; - dest_tainted = TRUE; } #ifndef MACRO_PREDEF else @@ -1613,6 +1648,8 @@ string supplied as data, adds the strerror() text, and if the failure was Arguments: format a text format string - deliberately not uschar * + func caller, for debug + line caller, for debug ... arguments for the format string Returns: a message, in dynamic store @@ -1620,7 +1657,7 @@ Returns: a message, in dynamic store uschar * string_open_failed_trc(const uschar * func, unsigned line, - const char *format, ...) + const char * format, ...) { va_list ap; gstring * g = string_get(1024); @@ -1681,6 +1718,7 @@ int main(void) uschar buffer[256]; printf("Testing is_ip_address\n"); +store_init(); while (fgets(CS buffer, sizeof(buffer), stdin) != NULL) {