Coccinelle archive on lore.kernel.org
 help / Atom feed
* [Cocci] Confused by regex usage
@ 2019-01-17  0:21 Kees Cook
  2019-01-17  6:50 ` Julia Lawall
  0 siblings, 1 reply; 2+ messages in thread
From: Kees Cook @ 2019-01-17  0:21 UTC (permalink / raw)
  To: Julia Lawall, cocci

Hi,

I have this .cocci:

/// Unchecked use of snprintf() return values can lead to bugs, especially
/// when returned or used to increment a buffer position. This is because
/// snprintf() can return how much it WOULD have written, had it not run out
/// of space. Instead, use scnprintf() which will report only how much was
/// actually written, keeping any overflows from happening.
///
// Confidence: Moderate
// Copyright: (C) 2018 Kees Cook, Google. GPLv2.
// URL: http://coccinelle.lip6.fr/
// Options: --all-includes --include-headers

virtual patch

@sum_patch depends on patch exists@
expression LEN, BUF, SIZE;
identifier FUNC !~ "^\(snprintf\|scnprintf\)$";
@@

(
  LEN =
-snprintf
+scnprintf
  (BUF, SIZE, ...);
|
  LEN +=
-snprintf
+scnprintf
  (BUF + LEN, SIZE - LEN, ...);
)
  ... when != LEN > SIZE
      when != LEN >= SIZE
      when any
(
  return LEN;
|
  FUNC(..., <+...LEN...+>, ...)
)

It matches net/sunrpc/addr.c:

--- net/sunrpc/addr.c
+++ /tmp/cocci-output-43547-394eff-addr.c
@@ -79,7 +79,7 @@ static size_t rpc_ntop6(const struct soc
        if (sin6->sin6_scope_id == 0)
                return len;

-       rc = snprintf(scopebuf, sizeof(scopebuf), "%c%u",
+       rc = scnprintf(scopebuf, sizeof(scopebuf), "%c%u",
                        IPV6_SCOPE_DELIMITER, sin6->sin6_scope_id);
        if (unlikely((size_t)rc > sizeof(scopebuf)))
                return 0;

But I can't figure out why. I was trying to exclude matches against
sc?nprintf, but the FUNC line appears to make things crazy and break
the "when" check. If I remove the FUNC portion of the pattern, it's
fine, but then I miss a bunch of cases I *do* want to catch, etc.

Thanks!

-- 
Kees Cook
_______________________________________________
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [Cocci] Confused by regex usage
  2019-01-17  0:21 [Cocci] Confused by regex usage Kees Cook
@ 2019-01-17  6:50 ` Julia Lawall
  0 siblings, 0 replies; 2+ messages in thread
From: Julia Lawall @ 2019-01-17  6:50 UTC (permalink / raw)
  To: Kees Cook; +Cc: cocci



On Wed, 16 Jan 2019, Kees Cook wrote:

> Hi,
>
> I have this .cocci:
>
> /// Unchecked use of snprintf() return values can lead to bugs, especially
> /// when returned or used to increment a buffer position. This is because
> /// snprintf() can return how much it WOULD have written, had it not run out
> /// of space. Instead, use scnprintf() which will report only how much was
> /// actually written, keeping any overflows from happening.
> ///
> // Confidence: Moderate
> // Copyright: (C) 2018 Kees Cook, Google. GPLv2.
> // URL: http://coccinelle.lip6.fr/
> // Options: --all-includes --include-headers
>
> virtual patch
>
> @sum_patch depends on patch exists@
> expression LEN, BUF, SIZE;
> identifier FUNC !~ "^\(snprintf\|scnprintf\)$";
> @@
>
> (
>   LEN =
> -snprintf
> +scnprintf
>   (BUF, SIZE, ...);
> |
>   LEN +=
> -snprintf
> +scnprintf
>   (BUF + LEN, SIZE - LEN, ...);
> )
>   ... when != LEN > SIZE
>       when != LEN >= SIZE
>       when any
> (
>   return LEN;
> |
>   FUNC(..., <+...LEN...+>, ...)
> )
>
> It matches net/sunrpc/addr.c:
>
> --- net/sunrpc/addr.c
> +++ /tmp/cocci-output-43547-394eff-addr.c
> @@ -79,7 +79,7 @@ static size_t rpc_ntop6(const struct soc
>         if (sin6->sin6_scope_id == 0)
>                 return len;
>
> -       rc = snprintf(scopebuf, sizeof(scopebuf), "%c%u",
> +       rc = scnprintf(scopebuf, sizeof(scopebuf), "%c%u",
>                         IPV6_SCOPE_DELIMITER, sin6->sin6_scope_id);
>         if (unlikely((size_t)rc > sizeof(scopebuf)))
>                 return 0;
>
> But I can't figure out why. I was trying to exclude matches against
> sc?nprintf, but the FUNC line appears to make things crazy and break
> the "when" check. If I remove the FUNC portion of the pattern, it's
> fine, but then I miss a bunch of cases I *do* want to catch, etc.

Can you send an example of something that you expect to match but don't,
or don't expect to match but do?

I'm not sure that you need a regular expression here.  If there are just
two functions that you don't want to match, you can say:

identifier FUNC != {func1,func2};

julia
_______________________________________________
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-17  0:21 [Cocci] Confused by regex usage Kees Cook
2019-01-17  6:50 ` Julia Lawall

Coccinelle archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/cocci/0 cocci/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 cocci cocci/ https://lore.kernel.org/cocci \
		cocci@systeme.lip6.fr cocci@archiver.kernel.org
	public-inbox-index cocci


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/fr.lip6.systeme.cocci


AGPL code for this site: git clone https://public-inbox.org/ public-inbox