sanitise results of stat()/lstat() on Solaris #504
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tridge
approved these changes
Apr 6, 2024
Solaris 11 (possibly only 11.4) can return negative values for st_atim.tv_nsec, st_mtim.tv_nsec and st_ctim.tv_nsec. Gnulib already identifies this as an issue and works around it with stat_time_normalize(). I've adapted that function for this patch, omitting st_ctim (unused by rsync) and using only a very simple test for time_t overflow. The feature test macros used mean this code path will be used on _all_ Solaris builds, but this shouldn't be an issue; it would probably be safe on anything that provides tv_nsec.
|
@WayneD looks good, pending your OK |
charmitro
reviewed
Apr 7, 2024
Comment on lines
+155
to
+186
| int stat_time_normalize(int result, STRUCT_STAT *st) | ||
| { | ||
| #if defined __sun && defined HAVE_STRUCT_STAT_ST_MTIM_TV_NSEC | ||
| if (result == 0) { | ||
| long int timespec_hz = 1000000000; | ||
| short int const ts_off[] = { offsetof (struct stat, st_atim), | ||
| offsetof (struct stat, st_mtim) }; | ||
| unsigned i; | ||
| for (i = 0; i < sizeof ts_off / sizeof *ts_off; i++) { | ||
| struct timespec *ts = (struct timespec *)((char *) st + ts_off[i]); | ||
| long int q = ts->tv_nsec / timespec_hz; | ||
| long int r = ts->tv_nsec % timespec_hz; | ||
| if (r < 0) { | ||
| r += timespec_hz; | ||
| q--; | ||
| } | ||
| ts->tv_nsec = r; | ||
| /* Overflow is possible, as Solaris 11 stat can yield | ||
| tv_sec == TYPE_MINIMUM (time_t) && tv_nsec == -1000000000. */ | ||
| time_t sec = ts->tv_sec + q; | ||
| if ((q > 0 && sec < ts->tv_sec) || (q < 0 && sec > ts->tv_sec)) { | ||
| errno = EOVERFLOW; | ||
| return -1; | ||
| } | ||
| ts->tv_sec = sec; | ||
| } | ||
| } | ||
| #else | ||
| (void)st; | ||
| #endif | ||
| return result; | ||
| } |
There was a problem hiding this comment.
Since this function is utilized solely in scenarios where #if defined __sun && defined HAVE_STRUCT_STAT_ST_MTIM_TV_NSEC is true, it would be more straightforward to not define it when this condition is not met.
E.g.,
#if defined __sun && defined HAVE_STRUCT_STAT_ST_MTIM_TV_NSEC
int stat_time_normalize(int result, STRUCT_STAT *st)
{
if (result == 0) {
long int timespec_hz = 1000000000;
short int const ts_off[] = { offsetof (struct stat, st_atim),
offsetof (struct stat, st_mtim) };
unsigned i;
for (i = 0; i < sizeof ts_off / sizeof *ts_off; i++) {
struct timespec *ts = (struct timespec *)((char *) st + ts_off[i]);
long int q = ts->tv_nsec / timespec_hz;
long int r = ts->tv_nsec % timespec_hz;
if (r < 0) {
r += timespec_hz;
q--;
}
ts->tv_nsec = r;
/* Overflow is possible, as Solaris 11 stat can yield
tv_sec == TYPE_MINIMUM (time_t) && tv_nsec == -1000000000. */
time_t sec = ts->tv_sec + q;
if ((q > 0 && sec < ts->tv_sec) || (q < 0 && sec > ts->tv_sec)) {
errno = EOVERFLOW;
return -1;
}
ts->tv_sec = sec;
}
}
return result;
}
#endif
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Solaris 11 (possibly only 11.4) can return negative values for st_atim.tv_nsec, st_mtim.tv_nsec and st_ctim.tv_nsec.
Gnulib already identifies this as an issue and works around it with stat_time_normalize(). I've adapted that function for this patch, omitting st_ctim (unused by rsync) and using only a very simple test for time_t overflow.
The feature test macros used mean this code path will be used on all Solaris builds, but this shouldn't be an issue; it would probably be safe on anything that provides tv_nsec.