Hi Dietmar, On Mon, Sep 19, 2011 at 8:59 AM, <[email protected]> wrote: >> From: [email protected] [mailto:[email protected]] >> On Behalf Of Thomas De Schampheleire >> Sent: Friday, September 16, 2011 3:00 PM >> ... >> The original PSOS interfaces that take a name (like t_create, >> sm_create etc), expect a character array with length 4: >> ... >> while the corresponding PSOS skin in Xenomai expects a null-terminated >> character array (a real string): >> ... >> >> In certain situations, this difference gives rise to a buffer overflow >> on the name variable. >> For example: >> >> unsigned long smid, err; >> { >> char id[4] = {'S','E','M','0'}; >> err = sm_create(id,0,SM_PRIOR,&smid); >> } >> { >> char id[4] = "SEM"; >> id[3] = '1'; >> err = sm_create(id,0,SM_PRIOR,&smid); >> } >> { >> char id[4] = "SEM2"; >> err = sm_create(id,0,SM_PRIOR,&smid); >> } >> ... >> >> ... The third one (SEM2) >> is dubious because the end-of-string character will overflow the >> array, ... > > This is not true, according to ISO/IEC 9899:TC3 Programming languages - C, > §6.7.8 Initialization: > ... > 14 An array of character type may be initialized by a character string > literal, optionally enclosed in braces. Successive characters of the > character string literal (including the terminating null character if there > is room or if the array is of unknown size) initialize the elements of the > array. > ... > 32 EXAMPLE 8 The declaration > char s[] = "abc", t[3] = "abc"; > defines ''plain'' char array objects s and t whose elements are initialized > with character string literals. > This declaration is identical to > char s[] = { 'a', 'b', 'c', '\0' }, > t[] = { 'a', 'b', 'c' };
Thanks for clarifying this... Best regards, Thomas > >> On target, this creates the following semaphores (taken from the >> registry): >> >> # ls /proc/xenomai/registry/psos/semaphores/SEM* >> ... >> /proc/xenomai/registry/psos/semaphores/SEM0????p????_S22753 >> /proc/xenomai/registry/psos/semaphores/SEM1p????_S22753 >> /proc/xenomai/registry/psos/semaphores/SEM2?_S22753 >> >> As you can see, in all cases there was an array overflow (the question >> marks correspond to non-ASCII characters), caused by the missing >> null-termination (in itself caused by a mismatch between the original >> PSOS interface and the Xenomai PSOS skin implementation of it). > > I would prefer to call this an array overrun (to distinguish the reading past > the end of the array here from writing past the end), even though that is not > a generally accepted distinction. > >> If you do not explicitly create a character array of length 4, e.g. >> (char id[] = "SEM1") then the Xenomai code obviously works fine: it >> receives a null-terminated string, as it expects. >> >> >> To fix this problem, the PSOS skin should treat incoming names as >> non-null-terminated character arrays of length 4, and explicitly add >> null-termination before passing it to the nucleus. >> >> What is your view on this? > > I agree. > -- > Regards, > Dietmar > ________________________________________ manroland AG Vorsitzender des > Aufsichtsrates: Hanno C. Fiedler Vorstand: Gerd Finkbeiner (Vorsitzender), > Dr. Ingo Koch, Dr. Markus Rall, Paul Steidle Sitz der Gesellschaft: Offenbach > am Main, Registergericht: Amtsgericht Offenbach HRB-Nr. 42592 USt-Ident-Nr. > DE 250200933 > > > _______________________________________________ > Xenomai-help mailing list > [email protected] > https://mail.gna.org/listinfo/xenomai-help > _______________________________________________ Xenomai-help mailing list [email protected] https://mail.gna.org/listinfo/xenomai-help
