Add bound check functions for strncpy and memcpy (#1117)

Author: lalitb

CMakeLists.txt

@@ -189,6 +189,11 @@ if(GCC5_CXX11_ABI_WORKAROUND)
   add_definitions(-D_GLIBCXX_USE_CXX11_ABI=0)
 endif()
 
+option(USE_ONEDS_BOUNDCHECK_METHODS "Use bound check methods for C99 functions" OFF)
+if (USE_ONEDS_BOUNDCHECK_METHODS)
+  add_definitions(-DHAVE_ONEDS_BOUNDCHECK_METHODS)
+endif()
+
 if(PAL_IMPLEMENTATION STREQUAL "WIN32")
  add_definitions(-DZLIB_WINAPI)
 endif()

lib/bond/CompactBinaryProtocolReader.hpp

@@ -10,7 +10,9 @@
 
 #include <string.h>
 
+#ifdef HAVE_ONEDS_BOUNDCHECK_METHODS
 #include "utils/annex_k.hpp"
+#endif
 
 namespace bond_lite {
 
@@ -66,7 +68,11 @@ class CompactBinaryProtocolReader {
         if ((data == nullptr) || (size == 0)) {
             return false;
         }
+#ifdef HAVE_ONEDS_BOUNDCHECK_METHODS
+        bool result = MAT::BoundCheckFunctions::oneds_memcpy_s(static_cast<uint8_t*>(data), size, &(m_input[m_ofs]), size);
+#else
         bool result = (memcpy_s(static_cast<uint8_t*>(data), size, &(m_input[m_ofs]), size) == 0);
+#endif
         m_ofs += size;
         return result;
     }

lib/http/HttpClient_Curl.hpp

@@ -30,6 +30,10 @@
 #include "IHttpClient.hpp"
 #include "pal/PAL.hpp"
 
+#ifdef HAVE_ONEDS_BOUNDCHECK_METHODS
+#include "utils/annex_k.hpp"
+#endif
+
 #define HTTP_CONN_TIMEOUT       5L
 #define HTTP_STATUS_REGEXP		"HTTP\\/\\d\\.\\d (\\d+)\\ .*"
 #define HTTP_HEADER_REGEXP      "(.*)\\: (.*)\\n*"
@@ -490,8 +494,11 @@ class CurlHttpOperation {
           TRACE("not enough memory (realloc returned NULL)\n");
           return 0;
         }
-
+#ifdef HAVE_ONEDS_BOUNDCHECK_METHODS
+        BoundCheckFunctions::oneds_memcpy_s(&(mem->memory[mem->size]), realsize, contents, realsize);
+#else
         memcpy(&(mem->memory[mem->size]), contents, realsize);
+#endif
         mem->size += realsize;
         mem->memory[mem->size] = 0;
 

lib/include/mat/config-compact-dll.h

@@ -22,4 +22,5 @@
 #define HAVE_CS3
 //#define HAVE_CS4
 //#define HAVE_CS4_FULL
+//#define HAVE_ONEDS_BOUNDCHECK_METHODS
 

lib/include/mat/config-compact-exp.h

@@ -22,4 +22,5 @@
 #define HAVE_CS3
 //#define HAVE_CS4
 //#define HAVE_CS4_FULL
+//#define HAVE_ONEDS_BOUNDCHECK_METHODS
 

lib/include/mat/config-compact-min.h

@@ -22,4 +22,5 @@
 #define HAVE_CS3
 //#define HAVE_CS4
 //#define HAVE_CS4_FULL
+//#define HAVE_ONEDS_BOUNDCHECK_METHODS
 

lib/include/mat/config-compact-noutc.h

@@ -22,4 +22,5 @@
 #define HAVE_CS3
 //#define HAVE_CS4
 //#define HAVE_CS4_FULL
+//#define HAVE_ONEDS_BOUNDCHECK_METHODS
 

lib/include/mat/config-compact.h

@@ -22,4 +22,5 @@
 #define HAVE_CS3
 //#define HAVE_CS4
 //#define HAVE_CS4_FULL
+//#define HAVE_ONEDS_BOUNDCHECK_METHODS
 

lib/include/mat/config-default-cs4.h

@@ -36,4 +36,5 @@
 //#define HAVE_CS3
 #define HAVE_CS4
 #define HAVE_CS4_FULL
+//#define HAVE_ONEDS_BOUNDCHECK_METHODS
 

lib/include/mat/config-default-exp.h

@@ -34,4 +34,5 @@
 #define HAVE_CS3
 //#define HAVE_CS4
 //#define HAVE_CS4_FULL
+//#define HAVE_ONEDS_BOUNDCHECK_METHODS
 

lib/include/mat/config-default.h

@@ -37,4 +37,5 @@
 #define HAVE_CS3
 //#define HAVE_CS4
 //#define HAVE_CS4_FULL
+//#define HAVE_ONEDS_BOUNDCHECK_METHODS
 

lib/tracing/api/sha1.c

@@ -25,6 +25,10 @@ A million repetitions of "a"
 
 #include "sha1.h"
 
+#ifdef HAVE_ONEDS_BOUNDCHECK_METHODS
+#include "utils/annex_k.hpp"
+#endif
+
 
 #define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
 
@@ -67,8 +71,11 @@ void SHA1Transform(
 #ifdef SHA1HANDSOFF
     CHAR64LONG16 block[1];      /* use array to appear as a pointer */
 
-    memcpy(block, buffer, 64);
+#ifdef USE_ONEDS_BOUNDCHECK_METHODS
+    BoundCheckFunctions::oneds_memcpy_s(block, 64, buffer, 64)
 #else
+    memcpy(block, buffer, 64);
+#endif
     /* The following had better never be used because it causes the
     * pointer-to-const buffer to be cast into a pointer to non-const.
     * And the result is written through.  I threw a "const" in, hoping
@@ -212,7 +219,12 @@ void SHA1Update(
     j = (j >> 3) & 63;
     if ((j + len) > 63)
     {
+#ifdef HAVE_ONEDS_BOUNDCHECK_METHODS
+        i = 64 - j;
+        BoundCheckFunctions::oneds_memcpy_s(&context->buffer[j], i, data, i);
+#else
         memcpy(&context->buffer[j], data, (i = 64 - j));
+#endif
         SHA1Transform(context->state, context->buffer);
         for (; i + 63 < len; i += 64)
         {
@@ -222,7 +234,11 @@ void SHA1Update(
     }
     else
         i = 0;
+#ifdef USE_ONEDS_BOUNDCHECK_METHODS
+    BoundCheckFunctions::oneds_memcpy_s(&context->buffer[j], len - i, &data[i], len - i);
+#else
     memcpy(&context->buffer[j], &data[i], len - i);
+#endif
 }
 
 

lib/utils/annex_k.hpp

@@ -2,6 +2,17 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 //
+#include "ctmacros.hpp"
+
+#include <stddef.h>
+#include <errno.h>
+#include <string.h>
+#ifndef _MSC_VER
+#include <stdint.h>
+#else
+#include <limits.h>
+#endif
+
 #ifndef ANNEX_K_HPP
 #define ANNEX_K_HPP
 
@@ -18,5 +29,162 @@
 
 #endif
 
+// restrict keyword needs c99 and above.
+#if __STDC_VERSION_ < 199901L
+#  define restrict
+#endif
+
+#ifndef RSIZE_MAX
+#define RSIZE_MAX (SIZE_MAX >> 1)
+typedef size_t rsize_t;
+typedef int errno_t;
+#endif
+
+namespace MAT_NS_BEGIN
+{
+class BoundCheckFunctions
+{
+private:
+static bool oneds_buffer_region_overlap(const char *buffer1, size_t buffer1_len, const char *buffer2, size_t buffer2_len)
+{
+    if (buffer2 >= buffer1) 
+    {
+        if (buffer1 + buffer1_len - 1 > buffer2 )
+        {
+            return true;
+        }
+    }
+    else 
+    {
+        if (buffer2 + buffer2_len - 1 > buffer1)
+        { 
+            return true;
+        }
+    }
+    return false; 
+}
+
+public:
+// prototype - https://en.cppreference.com/w/c/string/byte/strlen
+//  Returns the length of the given null-terminated byte string
+//  - returns zero if str is a null pointer
+//  -  returns strsz if the null character was not found in the first strsz bytes of str.
+
+static size_t oneds_strnlen_s(const char *str, size_t strsz)
+{
+   if ( str == NULL)
+   {
+    return 0;
+   } 
+   return strnlen(str, strsz);
+}
+
+// prototype - https://en.cppreference.com/w/c/string/byte/strncpy (strcpy, strcpy_s)
+// Copies at most count characters of the character array pointed to by src 
+//(including the terminating null character, but not any of the characters that follow 
+// the null character) to character array pointed to by dest.
+// Handles error conditions at runtime - 
+//   - src or dest is a null pointer
+//   - destsz is zero or greater than RSIZE_MAX
+//   - count is greater than RSIZE_MAX
+//   - count is greater or equal destsz, but destsz is less or equal strnlen_s(src, count), in other words, truncation would occur
+//   - overlap would occur between the source and the destination strings
+static errno_t oneds_strncpy_s(char * restrict dest, rsize_t destsz, const char *restrict src, rsize_t count)
+{
+#if (defined __STDC_LIB_EXT1__) || ( defined _MSC_VER)
+    return strncpy_s(dest, destsz, src, count);
+#else
+    if ((dest == NULL) || (destsz == 0) || (destsz > RSIZE_MAX))
+    {
+        return EINVAL;
+    }
+    if (src == NULL)
+    {
+        dest = NULL;
+        return EINVAL;
+    }
+    if (count > RSIZE_MAX){
+        dest = NULL;
+        return EINVAL;
+    }
+    if (count >= destsz && destsz <= oneds_strnlen_s(src, count))
+    {
+        dest = NULL;
+        return EINVAL;
+    }
+
+    rsize_t src_len_to_read = oneds_strnlen_s(src, count) + 1 ;
+    if (src_len_to_read < count) 
+    {
+        src_len_to_read = count;
+    }
+
+    // donot allow overflow
+    if (oneds_buffer_region_overlap(dest, destsz, src, src_len_to_read)) {
+        dest = NULL;
+        return EINVAL;
+    }
+    if (src_len_to_read < destsz)
+    {
+        src_len_to_read = destsz;
+    }
+    strncpy(dest, src, src_len_to_read);
+    return 0;
 #endif
+}
+
+// prototype -  https://en.cppreference.com/w/c/string/byte/memcpy
+// Copies count characters from the object pointed to by src to the 
+// object pointed to by dest. Both objects are interpreted as arrays 
+// of unsigned char.
+// 
+// Handles error conditions at runtime - 
+//  - dest or src is a null pointer
+// - destsz or count is greater than RSIZE_MAX
+// - count is greater than destsz (buffer overflow would occur)
+// - the source and the destination objects overlap
+// 
+// In case of error, the entire destination range [dest, dest+destsz) is zeroed out 
+// (if both dest and destsz are valid))
 
+static errno_t oneds_memcpy_s( void *restrict dest, rsize_t destsz,
+                  const void *restrict src, rsize_t count )
+{
+#if (defined __STDC_LIB_EXT1__) || ( defined _MSC_VER)
+       return memcpy_s(dest, destsz, src, count);     
+#else
+    if (dest == NULL)
+    {
+        return EINVAL;
+    }
+    if (destsz > RSIZE_MAX)
+    {
+        return EINVAL;
+    }
+    if (src == NULL)
+    {
+        memset(dest, 0, destsz);
+        return EINVAL;
+    }
+    if (count > RSIZE_MAX || count > destsz)
+    {
+        memset(dest, 0, destsz);
+        return EINVAL;
+    }
+    // donot allow overflow
+    if (oneds_buffer_region_overlap((char *)dest, destsz, (char *)src, count)) {
+        memset(dest, 0, destsz);
+        return EINVAL;
+    }
+    void *result = memcpy(dest, src, count);
+    if (result == (void *)NULL)
+    {
+        return -1;
+    }
+    return 0;
+#endif
+}
+};
+}
+MAT_NS_END
+#endif

tests/common/SocketTools.hpp

@@ -14,6 +14,9 @@
 #include <cstring>
 #include <cstddef>
 #include <algorithm>
+#ifdef HAVE_ONEDS_BOUNDCHECK_METHODS
+#include "utils/annex_k.hpp"
+#endif
 
 #if defined(HAVE_CONSOLE_LOG) && !defined(LOG_DEBUG)
 /* Log to console if there's no standard log facility defined */
@@ -139,7 +142,11 @@ class SocketAddr
         {
             inet4.sin_port = htons(atoi(colon + 1));
             char buf[16];
+#ifdef HAVE_ONEDS_BOUNDCHECK_METHODS
+            MAT::BoundCheckFunctions::oneds_memcpy_s(buf, sizeof(buf), addr, std::min<ptrdiff_t>(15, colon - addr));
+#else
             memcpy(buf, addr, std::min<ptrdiff_t>(15, colon - addr));
+#endif
             buf[15] = '\0';
             ::inet_pton(AF_INET, buf, &inet4.sin_addr);
         } else

tests/unittests/AnnexKTests.cpp

@@ -0,0 +1,32 @@
+#include "utils/annex_k.hpp"
+#include "common/Common.hpp"
+
+using namespace testing;
+using namespace MAT;
+
+TEST(AnnexKTests, memcpy_s)
+{
+    volatile size_t dest_size =10;
+    volatile size_t src_size = 5;
+    void    *dest =  malloc(sizeof(char) * dest_size);
+    void    *src = malloc(sizeof(char) * src_size);
+    EXPECT_EQ(BoundCheckFunctions::oneds_memcpy_s(src, 5, "TEST", 5), 0);
+    rsize_t dest_len = dest_size;
+    rsize_t src_len = src_size-1;
+
+    // success tests
+    EXPECT_EQ(BoundCheckFunctions::oneds_memcpy_s(dest, dest_len, src, 0), 0);
+    EXPECT_EQ(BoundCheckFunctions::oneds_memcpy_s( dest, dest_len, src, src_len + 1), 0);
+    EXPECT_EQ(strlen((char *)dest), strlen("TEST"));
+    EXPECT_EQ(BoundCheckFunctions::oneds_memcpy_s(dest, dest_len + 2, src, src_len + 1), 0);
+    EXPECT_EQ(strlen((char *)dest), strlen("TEST"));
+
+    // error tests
+    EXPECT_EQ(BoundCheckFunctions::oneds_memcpy_s(dest, 3, src, src_len), EINVAL);
+    EXPECT_EQ(((char *)dest)[0], '\0');
+    EXPECT_EQ(BoundCheckFunctions::oneds_memcpy_s(NULL, 3, src, src_len), EINVAL);
+    EXPECT_EQ(BoundCheckFunctions::oneds_memcpy_s( dest, dest_len, NULL, src_len), EINVAL);
+    EXPECT_EQ(((char *)dest)[0], '\0');
+    EXPECT_EQ(BoundCheckFunctions::oneds_memcpy_s( dest, dest_len, src, dest_len + 1 ), EINVAL);
+    EXPECT_EQ(BoundCheckFunctions::oneds_memcpy_s( dest, dest_len, (void *)((char *)dest + 1), src_len + 1 ), EINVAL);
+}

tests/unittests/CMakeLists.txt

@@ -3,6 +3,7 @@ message("--- unittests")
 set(SRCS
   AIJsonSerializerTests.cpp
   AITelemetrySystemTests.cpp
+  AnnexKTests.cpp
   BackoffTests_ExponentialWithJitter.cpp
   BondSplicerTests.cpp
   ClockSkewManagerTests.cpp