vppinfra: c11 safe string functions

Add memcmp_s, strcmp_s, strncmp_s, strcpy_s, strncpy_s, strcat_s, strncat_s, strtok_s, strnlen_s, and strstr_s C11 safe string API. For migrating extant unsafe API, add also the corresponding macro version of each safe API, clib_memcmp, clib_strcmp, etc. In general, the benefits of the safe string APIs are to provide null pointer checks, add additional argument to specify the string length of the passed string rather than relying on the null terminated character, and src/dest overlap checking for the the string copy operations. The macro version of the API takes the same number of arguments as the unsafe API to provide easy migration. However, it does not usually provide the full aformentioned benefits. In some cases, it is necessary to move to the safe API rather than using the macro in order to avoid some unpredictable problems such as accessing memory beyond what it is intended due to the lack of the passed string length. dbarach: add a "make test" vector, and a doxygen file header cookie. Change-Id: I5cd79b8928dcf76a79bf3f0b8cbc1a8f24942f4c Signed-off-by: Steven <sluong@cisco.com> Signed-off-by: Dave Barach <dave@barachs.net>
author: Steven <sluong@cisco.com> 2018-10-24 21:15:45 -0700
committer: Dave Barach <dave@barachs.net> 2018-12-02 08:47:46 -0500
commit: b0598497afde60146fe8480331c9f96e7a79475a (patch)
tree: a3d9f454195cb9317fceb29efe62f5b62de89dea /src/vppinfra/string.c
parent: e7f61d1db511b9b09c7771c5851eaaf95a2fc7fe (diff)
1 files changed, 369 insertions, 0 deletions
diff --git a/src/vppinfra/string.c b/src/vppinfra/string.c
index b90f432c0cc..feae5b9165c 100644
--- a/src/vppinfra/string.c
+++ b/src/vppinfra/string.c
@@ -38,6 +38,12 @@
 #include <vppinfra/string.h>
 #include <vppinfra/error.h>
 
+/**
+ * @file
+ * @brief String Handling routines, including a performant
+ * implementation of many c-11 "safe" string functions.
+ */
+
 /* Exchanges source and destination. */
 void
 clib_memswap (void *_a, void *_b, uword bytes)
@@ -91,6 +97,25 @@ clib_c11_violation (const char *s)
   _clib_error (CLIB_ERROR_WARNING, (char *) __FUNCTION__, 0, (char *) s);
 }
 
+/**
+ * @brief copy src to dest, at most n bytes, up to dmax
+ *
+ *        ISO/IEC 9899:2017(C11), Porgramming languages -- C
+ *        Annex K; Bounds-checking interfaces
+ *
+ * @param *dest  pointer to memory to copy to
+ * @param dmax   maximum length of resulting dest
+ * @param *src   pointer to memory to copy from
+ * @param n      maximum number of characters to copy from src
+ *
+ * @constraints  No null pointers
+ *               n shall not be greater than dmax
+ *               no memory overlap between src and dest
+ *
+ * @return EOK        success
+ *         EINVAL     runtime constraint error
+ *
+ */
 errno_t
 memcpy_s (void *__restrict__ dest, rsize_t dmax,
 	  const void *__restrict__ src, rsize_t n)
@@ -98,12 +123,356 @@ memcpy_s (void *__restrict__ dest, rsize_t dmax,
   return memcpy_s_inline (dest, dmax, src, n);
 }
 
+/**
+ * @brief set n bytes starting at s to the specified c value
+ *
+ *        ISO/IEC 9899:2017(C11), Porgramming languages -- C
+ *        Annex K; Bounds-checking interfaces
+ *
+ * @param *s     pointer to memory to set the c value
+ * @param smax   maximum length of resulting s
+ * @param c      byte value
+ * @param n      maximum number of characters to set in s
+ *
+ * @constraints  No null pointers
+ *               n shall not be greater than smax
+ *
+ * @return EOK        success
+ *         EINVAL     runtime constraint error
+ *
+ */
 errno_t
 memset_s (void *s, rsize_t smax, int c, rsize_t n)
 {
   return memset_s_inline (s, smax, c, n);
 }
 
+/**
+ * @brief compare memory until they differ, and their difference is returned in
+ *        diff
+ *
+ *        ISO/IEC 9899:2017(C11), Porgramming languages -- C
+ *        Annex K; Bounds-checking interfaces
+ *
+ * @param *s1     pointer to memory to compare against
+ * @param s1max   maximum length of s1
+ * @param *s2     pointer to memory to compare with s1
+ * @param s2max   length of s2
+ * @param *diff   pointer to the diff which is an integer greater than, equal to,
+ *                or less than zero according to s1 is greater than, equal to,
+ *                or less than s2.
+ *
+ * @constraints   No null pointers
+ *                s1max and s2max shall not be zero
+ *                s2max shall not be greater than s1max
+ *
+ * @return EOK    success
+ *         diff   when the return code is EOK
+ *         >0     s1 greater s2
+ *          0     s1 == s2
+ *         <0     s1 < s2
+ *         EINVAL runtime constraint error
+ *
+ */
+errno_t
+memcmp_s (const void *s1, rsize_t s1max, const void *s2, rsize_t s2max,
+	  int *diff)
+{
+  return memcmp_s_inline (s1, s1max, s2, s2max, diff);
+}
+
+/**
+ * @brief compare string s2 to string s1, and their difference is returned in
+ *        indicator
+ *
+ *        ISO/IEC 9899:2017(C11), Porgramming languages -- C
+ *        Annex K; Bounds-checking interfaces
+ *
+ * @param *s1     pointer to string to compare against
+ * @param s1max   maximum length of s1, excluding null
+ * @param *s2     pointer to string to compare with s1
+ * @param *indicator  pointer to the comparison result, which is an integer
+ *                    greater than, equal to, or less than zero according to
+ *                    s1 is greater than, equal to, or less than s2.
+ *
+ * @constraints   No null pointers
+ *                s1max shall not be zero
+ *                s1 shall be null terminated
+ *                n shall not be greater than the smaller of s1max and strlen
+ *                of s1
+ *
+ * @return EOK        success
+ *         indicator  when the return code is EOK
+ *         >0         s1 greater s2
+ *          0         s1 == s2
+ *         <0         s1 < s2
+ *         EINVAL     runtime constraint error
+ *
+ */
+errno_t
+strcmp_s (const char *s1, rsize_t s1max, const char *s2, int *indicator)
+{
+  return strcmp_s_inline (s1, s1max, s2, indicator);
+}
+
+/**
+ * @brief compare string s2 to string s1, no more than n characters, and their
+ *        difference is returned in indicator
+ *
+ *        ISO/IEC 9899:2017(C11), Porgramming languages -- C
+ *        Annex K; Bounds-checking interfaces
+ *
+ * @param *s1     pointer to string to compare against
+ * @param s1max   maximum length of s1, excluding null
+ * @param *s2     pointer to string to compare with s1
+ * @param n       maximum number of characters to compare
+ * @param *indicator  pointer to the comparison result, which is an integer
+ *                    greater than, equal to, or less than zero according to
+ *                    s1 is greater than, equal to, or less than s2.
+ *
+ * @constraints   No null pointers
+ *                s1max shall not be zero
+ *                s1 shall be null terminated
+ *
+ * @return EOK        success
+ *         indicator  when the return code is EOK
+ *         >0         s1 greater s2
+ *          0         s1 == s2
+ *         <0         s1 < s2
+ *         EINVAL     runtime constraint error
+ *
+ */
+errno_t
+strncmp_s (const char *s1, rsize_t s1max, const char *s2, rsize_t n,
+	   int *indicator)
+{
+  return strncmp_s_inline (s1, s1max, s2, n, indicator);
+}
+
+/**
+ * @brief copy src string to dest string
+ *
+ *        ISO/IEC 9899:2017(C11), Porgramming languages -- C
+ *        Annex K; Bounds-checking interfaces
+ *
+ * @param *dest  pointer to string to copy to
+ * @param dmax   maximum length of resulting dest string, including null
+ * @param *src   pointer to string to copy from
+ *
+ * @constraints  No null pointers
+ *               dmax shall not be zero
+ *               dmax shall be greater than string length of src
+ *               no memory overlap between src and dest
+ *
+ * @return EOK        success
+ *         EINVAL     runtime constraint error
+ *
+ */
+errno_t
+strcpy_s (char *__restrict__ dest, rsize_t dmax, const char *__restrict__ src)
+{
+  return strcpy_s_inline (dest, dmax, src);
+}
+
+/**
+ * @brief copy src string to dest string, no more than n characters
+ *
+ *        ISO/IEC 9899:2017(C11), Porgramming languages -- C
+ *        Annex K; Bounds-checking interfaces
+ *
+ * @param *dest  pointer to string to copy to
+ * @param dmax   maximum length of resulting dest string, including null
+ * @param *src   pointer to string to copy from
+ * @param n      maximum number of characters to copy from src, excluding null
+ *
+ * @constraints  No null pointers
+ *               dmax shall not be zero
+ *               no memory overlap between src and dest
+ *
+ * @return EOK        success
+ *         EINVAL     runtime constraint error
+ *         EOVERFLOW  truncated operation. dmax - 1 characters were copied.
+ *                    dest is null terminated.
+ *
+ */
+errno_t
+strncpy_s (char *__restrict__ dest, rsize_t dmax,
+	   const char *__restrict__ src, rsize_t n)
+{
+  return strncpy_s_inline (dest, dmax, src, n);
+}
+
+/**
+ * @brief append src string to dest string, including null
+ *
+ *        ISO/IEC 9899:2017(C11), Porgramming languages -- C
+ *        Annex K; Bounds-checking interfaces
+ *
+ * @param *dest  pointer to string to append to
+ * @param dmax   maximum length of resulting dest string, including null
+ * @param *src   pointer to string to append from
+ *
+ * @constraints  No null pointers
+ *               dmax shall not be zero
+ *               dest shall be null terminated
+ *               given m = dmax - strnlen (dest, dmax)
+ *                     n = strnlen (src, m)
+ *                        n shall not be >= m
+ *               no memory overlap between src and dest
+ *
+ * @return EOK        success
+ *         EINVAL     runtime constraint error
+ *
+ */
+errno_t
+strcat_s (char *__restrict__ dest, rsize_t dmax, const char *__restrict__ src)
+{
+  return strcat_s_inline (dest, dmax, src);
+}
+
+/**
+ * @brief append src string to dest string, including null, no more than n
+ *        characters
+ *
+ *        ISO/IEC 9899:2017(C11), Porgramming languages -- C
+ *        Annex K; Bounds-checking interfaces
+ *
+ * @param *dest  pointer to string to append to
+ * @param dmax   maximum length of resulting dest string, including null
+ * @param *src   pointer to string to append from
+ * @param n      maximum characters to append (excluding null)
+ *
+ * @constraints  No null pointers
+ *               dmax shall not be zero
+ *               dest shall be null terminated
+ *               dmax - strnlen (dest, dmax) shall not be zero
+ *               no memory overlap between src and dest
+ *
+ * @return EOK        success
+ *         EINVAL     runtime constraint error
+ *         EOVERFLOW  truncated operation. dmax - 1 characters were appended.
+ *                    dest is null terminated.
+ *
+ */
+errno_t
+strncat_s (char *__restrict__ dest, rsize_t dmax,
+	   const char *__restrict__ src, rsize_t n)
+{
+  return strncat_s_inline (dest, dmax, src, n);
+}
+
+/**
+ * @brief tokenize string s1 with delimiter specified in s2. This is a stateful
+ *        API when it is iterately called, it returns the next token from s1
+ *        which is delimited by s2. s1max and ptr maintain the stateful
+ *        information for the same caller and must not be altered by the
+ *        caller during the iteration for the correct result
+ *
+ *        ISO/IEC 9899:2017(C11), Porgramming languages -- C
+ *        Annex K; Bounds-checking interfaces
+ *
+ * @param *s1         pointer to string to be searched for substring
+ * @param *s1max      restricted maximum length of s1
+ * @param *s2         pointer to substring to search (16 characters max,
+ *                    including null)
+ * @param **ptr       in/out pointer which maintains the stateful information
+ *
+ * @constraints  s2, s1max, and ptr shall not be null
+ *               if s1 is null, contents of ptr shall not be null
+ *               s1 and s2 shall be null terminated
+ *
+ * @return non-null  pointer to the first character of a token
+ *         s1max and ptr are modified to contain the state
+ *         null      runtime constraint error or token is not found
+ *
+ * @example
+ *   char *str2 = " ";
+ *   char str1[100];
+ *   uword len;
+ *   char *p2str = 0;
+ *   char *tok1, *tok2, *tok3, *tok4, *tok5, *tok6, *tok7;
+ *
+ *   strncpy (str1, "brevity is the soul of wit", sizeof (str1));
+ *   len = strlen (str1);
+ *   tok1 = strtok_s (str1, &len, str2, &p2str);
+ *   tok2 = strtok_s (0, &len, str2, &p2str);
+ *   tok3 = strtok_s (0, &len, str2, &p2str);
+ *   tok4 = strtok_s (0, &len, str2, &p2str);
+ *   tok5 = strtok_s (0, &len, str2, &p2str);
+ *   tok6 = strtok_s (0, &len, str2, &p2str);
+ *   tok7 = strtok_s (0, &len, str2, &p2str);
+ *
+ * After the above series of calls,
+ *   tok1 = "brevity", tok2 = "is", tok3 = "the", tok4 = "soul", tok5 = "of",
+ *   tok6 = "wit", tok7 = null
+ */
+char *
+strtok_s (char *__restrict__ s1, rsize_t * __restrict__ s1max,
+	  const char *__restrict__ s2, char **__restrict__ ptr)
+{
+  return strtok_s_inline (s1, s1max, s2, ptr);
+}
+
+/**
+ * @brief compute the length in s, no more than maxsize
+ *
+ *        ISO/IEC 9899:2017(C11), Porgramming languages -- C
+ *        Annex K; Bounds-checking interfaces
+ *
+ * @param *s      pointer to string
+ * @param maxsize restricted maximum length
+ *
+ * @constraints   No null pointers
+ *                maxsize shall not be zero
+ *
+ * @return size_t the string length in s, excluding null character, and no
+ *                more than maxsize or 0 if there is a constraint error
+ *
+ */
+size_t
+strnlen_s (const char *s, size_t maxsize)
+{
+  return strnlen_s_inline (s, maxsize);
+}
+
+/**
+ * @brief locate the first occurrence of the substring s2 in s1
+ *
+ *        ISO/IEC 9899:2017(C11), Porgramming languages -- C
+ *        Annex K; Bounds-checking interfaces
+ *
+ * @param *s1         pointer to string to be searched for substring
+ * @param s1max       restricted maximum length of s1
+ * @param *s2         pointer to substring to search
+ * @param s2max       restricted maximum length of s2
+ * @param **substring pointer to pointer substring to be returned
+ *
+ * @constraints  No null pointers
+ *               s1max and s2max shall not be zero
+ *               s1 and s2 shall be null terminated
+ *
+ * @return EOK    success
+ *         substring when the return code is EOK, it contains the pointer which
+ *         points to s1 that matches s2
+ *         EINVAL runtime constraint error
+ *         ESRCH  no match
+ *
+ * @example
+ *   char *sub = 0;
+ *   char *s1 = "success is not final, failure is not fatal.";
+ *
+ *   strstr_s (s1, strlen (s1), "failure", strlen ("failure"), &sub);
+ *
+ * After the above call,
+ *   sub = "failure is not fatal."
+ */
+errno_t
+strstr_s (char *s1, rsize_t s1max, const char *s2, rsize_t s2max,
+	  char **substring)
+{
+  return strstr_s_inline (s1, s1max, s2, s2max, substring);
+}
+
 /*
  * fd.io coding-style-patch-verification: ON
  *
author	Steven <sluong@cisco.com>	2018-10-24 21:15:45 -0700
committer	Dave Barach <dave@barachs.net>	2018-12-02 08:47:46 -0500
commit	b0598497afde60146fe8480331c9f96e7a79475a (patch)
tree	a3d9f454195cb9317fceb29efe62f5b62de89dea /src/vppinfra/string.c
parent	e7f61d1db511b9b09c7771c5851eaaf95a2fc7fe (diff)