Kevin Day [Thu, 31 Mar 2022 00:06:18 +0000 (19:06 -0500)]
Security: Invalid write in FSS processing functions due to improper allocation size.
The start and stop ranges are inclusive.
This means that the size is (stop - start) + 1.
The problems happens where the code is adding additional digits to represent end of line or other special characters.
When this is added, I seem to have forgotten to add the additional numbers to the + 1 and instead replaced the + 1.
This results in the size being potentially short by a single character and thus an invalid write is possible.
Kevin Day [Wed, 30 Mar 2022 23:47:13 +0000 (18:47 -0500)]
Update: Move the program data into the main for fss_embedded_list_read.
Replace fss_embedded_list_read_main_t with fll_program_data_t and fss_embedded_list_read_data_t.
Move parameter initialization and deallocation for FLL program data into main.c.
Kevin Day [Wed, 30 Mar 2022 03:37:07 +0000 (22:37 -0500)]
Bugfix: The out of range is printing and then continues processing.
When out of range happens an error should be printed and should stop processing for that parameter.
This is not happening because the status is incorrectly being returned when status is not assigned an error bit.
The out of range check happens independent of the status variable.
Kevin Day [Wed, 30 Mar 2022 01:17:09 +0000 (20:17 -0500)]
Update: Use signal_check more consistently in programs.
There are programs that do not use the fll_program_data_t structure.
These now define the signal_check in their main.
Such cases will go away as soon as they are converted into using fll_program_data_t.
Kevin Day [Tue, 29 Mar 2022 03:38:43 +0000 (22:38 -0500)]
Update: Finish writing tests, fix endianness, simplify some code.
Now that f_char_t exists and is in use, rename f_utf_character_t to f_utf_char_t to be consistent (and simpler).
The endianness detection is incorrect.
The BIG_ENDIAN is not represented as expected.
Change the detection to use GCC's __BYTE_ORDER__ macros.
Fallback to little endian if those macros are not available.
It took a while to figure out this was the problem and I got rather confused going back and forth between byte orders.
I think the changes I made are correct, but I need additional better testing on the byte orders.
Kevin Day [Mon, 28 Mar 2022 04:30:30 +0000 (23:30 -0500)]
Update: Bring f_utf project in sync with f_string.
I have been explicitly avoiding making change to f_utf until I finished updating and successfully vetted the f_string project.
Now that the f_string has tests that pass, mass update the f_utf project.
This changes the functions and structure to be inline with how f_string works.
Many of the fixes are brought over.
I have observed that several of the bugs that were recently in f_string is also present in f_utf.
These bugs in f_utf should now be fixed as well.
This tests are brought over.
Only the tests for functions that are shared between f_string and f_utf are implemented.
And then those tests currently cannot be compiled.
The reason is that normal quoted strings cannot be used with the special UTF dynamic strings.
I simply did not have the time to get to this to finish writing these tests for f_utf.
There are some parts of f_string that make no sense in f_utf, such as f_string_range_t and f_string_quantity_t (both of which can be used on f_string and f_utf strings).
These have been omitted when copying the relevant f_string into f_utf code.
Kevin Day [Mon, 28 Mar 2022 00:56:35 +0000 (19:56 -0500)]
Update: Restructure parts of f_utf project, and use f_utf_t, and add 'u' to hexdigits in common.h.
Move the relevant functions into utf/convert.h, utf/is.h, and utf/is_character.h.
Implement f_utf_t as a type of uint32_t.
This should allow more customizability on that type if need be.
It also provides a more explicit context.
Add 'u' to designate the hexdigits are unsigned (This likely more specifically means it is an unsigned int).
This might be removed if it becomes a problem with architectures where "u" represents 16-bits or less.
Due to the size of the work, I am avoiding making this change in all of the Unicode comparison functions.
There are quite a lot of hexdigits in use.
Kevin Day [Sun, 27 Mar 2022 22:22:18 +0000 (17:22 -0500)]
Bugfix: Partial string functions are incorrect.
The tests exposed these problems.
The *_assure() functions are operating as if they are *_assure_nulless().
Remove the NULL checks that should not be there and fix the documentation comments.
The *_assure() functions are not considering the following:
1) The case where range.stop is >= source.used.
2) The fact that range.stop is inclusive and should not be directly used in the same way that *.used is used.
In the case of (1), if the stop range result in it overflowing past the actual length, the previous code results in invalid reads.
In the case of (2), the stop.range needs to instead be stop.range + 1.
Kevin Day [Sun, 27 Mar 2022 16:00:28 +0000 (11:00 -0500)]
Update: Add additional tests for f_string project.
This adds tests for the f_string functions for functions defined in string.h.
This adds tests for the f_string functions for functions defined in dynamic.h that functionally mirror functions defined in string.h.
There are still more functions in dynamic.h that need to have tests written for them.
Kevin Day [Sun, 27 Mar 2022 15:19:04 +0000 (10:19 -0500)]
Bugfix: Incorrectly performing nulless string appends and prepends.
These problems are exposed by the tests that I am writing.
The destination->used < length check cannot be performed because of the presence of NULL characters.
The nulless versions of the strings may be identical even if their sizes do not match.
The only case where this check should still happen is when destination.used is 0.
The comparison operator is using the wrong variable in some cases ('j' should be used with 'destination').
Kevin Day [Sun, 27 Mar 2022 01:41:37 +0000 (20:41 -0500)]
Bugfix: Print functions are not always printing the entire string.
I observed this when working with printing binary data in '%Q'.
The fwrite_unlocked() might prematurely return but not on an error.
If it does, first check to see if it is an error and then keep trying until everything is printed.
This is more of a band-aid fix.
This requires an additional variable and an additional loop.
I would rather avoid all of this and so a re-design is likely necessary for greater efficiency.
As this is not my focus at the time I am going to tolerate this less than desirable design.
Kevin Day [Sat, 26 Mar 2022 16:22:39 +0000 (11:22 -0500)]
Bugfix: Increasing strings by too much.
The *_increase_by() methods already include the ".used" length.
The previous code is also adding the ".used" length resulting in an increase of ".used" * 2.
Kevin Day [Sat, 26 Mar 2022 02:38:08 +0000 (21:38 -0500)]
Bugfix: When using --at with --total for --content, the returned number is always 1 and should not be.
The code need to count all newlines rather than always returning 1.
This is likely a bug from copying the code from fss_basic_read where the non-zero count would indeed always be 1.
Kevin Day [Sat, 26 Mar 2022 02:34:34 +0000 (21:34 -0500)]
Bugfix: Invalid content count in FSS Basic List.
When F_none_eos or F_none_stop is returned, the content ends up having an additional size than the actual size.
This is happening because found->used++ is incremented immediately before returning.
When either F_none_eos or F_none_stop is returned, the content is not to be incremented.
Only the caller should know when to assume this is a proper ending representing the content end.
The macro private_macro_fl_fss_content_return_on_overflow_delimited() is only used in one place so remove it.
Make sure to initialize the content for all content read functions to ensure the content count is consistent.
Kevin Day [Mon, 14 Mar 2022 03:10:17 +0000 (22:10 -0500)]
Update: Consistency improvements with *_append() and *_append_all(), add tests, and other clean ups.
The array functions for managing structures needs to be consistent with the *_append() functions.
This introduces the *_append() all across the board.
The previous *_append() behavior is essentially refactored into *_append_all().
The *_append() now accepts a single type for a given structure rather than a set.
(The single type can still be representative of a set itself.)
Add a lot of tests.
Add missing f_iki tests.
The f_string tests are not fully implemented, the f_dynamic_* functions are only partially tested.
All of the other f_string structures should be fully tested now.
Make the macro_f_string_range_t_initialize() macro consistency with all other macros.
That is, the macro initialize that does not have a digit initializes using all of the structures members.
This effectively refactors macro_f_string_range_t_initialize() into macro_f_string_range_t_initialize2() and macro_f_string_range_t_initialize2() into macro_f_string_range_t_initialize().
Change the behavior of the *_resize() and *_adjust() functions to return F_none rather than a direct f_memory status code.
Update some of the string functions to return F_data_not_eos.
Restructure some of the code to be a bit more organized.
Specifically, the f_iki_data_t is moved into its own source and header files.
Reduce the clutter in some of the private source and header files by moving some of their content into separate individual files as appropriate.
Kevin Day [Thu, 10 Mar 2022 04:51:29 +0000 (22:51 -0600)]
Progress: Controller and Control sockets.
This also adds a new FSS: FSS-000F (Simple Packet).
I decided that this needs its own specific specification to represent it.
This further helps make it clear that a Packet is not the same as a Payload.
There can still be some confusion because the FSS-000F (Simple Packet) has a Payload Block.
That Payload Block contains the FSS-000E (Payload).
That FSS-000E (Payload) has a Payload section within itself.
This means that there are three different, but very similar (and also related), contexts used for a "payload".
To try and avoid this, I refer to the payload in FSS-000F (Simple Packet) as the Payload Block.
I refer to the payload in the specifications as the FSS Payload or the FSS-000E (Payload).
I refer to the payload within the FSS-000F (Simple Packet) as the Payload Object, the Payload Content, or the payload section.
Kevin Day [Wed, 9 Mar 2022 05:10:08 +0000 (23:10 -0600)]
Update: Revert back to 'char' rather than 'unsigned char'.
There are a lot more changes that I realized.
changing 'char' to 'unsigned char' will be for the next development release after the upcoming stable release.
Introduce the f_char_t type to allow for easier switching from 'char' to 'unsigned char'.
In all places that us 'unsigned char', just switch to 'char'.
Move the directory '..' and '.' into static strings.
Kevin Day [Tue, 8 Mar 2022 03:46:17 +0000 (21:46 -0600)]
Update: Switch to explicitly using sizeof() for char memset() and memcpy().
Different architectures might not actually have a 1-byte size.
Rather than assuming the common behavior, always call sizeof(unsigned char) to determine size of memset() and mempcy() functions.
Kevin Day [Tue, 8 Mar 2022 03:12:18 +0000 (21:12 -0600)]
Update: Avoid the generic 'char' and switch to the explicit 'unsigned char'.
Operations against unsigned are generally safer than the signed equivalents.
Using the generic 'char' may be different between compilers and expecations cannot be guaranteed.
This could result in obscure security issues.
Changing this to 'unsigned char' guarantees consistent behavior.
There are problems with some standard libc functions that expect char.
Explicitly cast to 'char' in these cases.
Kevin Day [Sun, 6 Mar 2022 22:56:52 +0000 (16:56 -0600)]
Progress: Implement controller to/from control networking.
Continue implementing the contoller to control communication.
I thought I described the packet structures in addition to the payload structure.
It seems I have not.
This begins adding the packet structure documentation.
Kevin Day [Sat, 5 Mar 2022 19:00:13 +0000 (13:00 -0600)]
Update: Provide open-standard-license-1.0.
The Open Standard License is a more formal definition of my original intents and license behind my Standards and Specifications provided in this project.
This standard is still considered an Informal Draft because I have yet to perform legal review and as such it is considered incomplete.
This standard will be formalized pending legal advice and even the name is subject to change.
I thought that there might be confusion between the LGPL license in this project (which focuses on Source Code) and the Standards and Specifications provided within this project.
To make this difference explicitly clear, I am in the process of formalizing the license.
One big important part of this is this license focuses on Implementations of the Standard or Specification.
This is a substantially different concept to what is used in the LGPL and similar licenses.
Kevin Day [Wed, 2 Mar 2022 05:51:29 +0000 (23:51 -0600)]
Update: Add test mode and provide -fstack-protector flag.
The recently added Github action for running tests is failing due to a stack overflow bug.
Compile with ssp explicitly enabled during testing to help better identify these cases.
The problem has not yet been identified and does not reproduce locally.
More investigation on that is be required.
This overflow happens while executing the cmocka based test.
There is the possibility that the overflow is in cmocka or as a result of how I am using cmocka.
Kevin Day [Tue, 1 Mar 2022 04:24:16 +0000 (22:24 -0600)]
Cleanup: Scripts syntax and styles.
The primary focus is on fixing the uppercase letters for the error and warning statements to follow proper sentence structure.
Other clean ups are incidental.
Kevin Day [Tue, 1 Mar 2022 02:49:52 +0000 (20:49 -0600)]
Regression: Some IKI vocabularies are missing their first character.
The previous bugfix (4f0c01eb) failed to check for additional problems introduced by the changes.
I should focus on writing unit tests for fl_read() shortly.
Kevin Day [Tue, 1 Mar 2022 00:49:51 +0000 (18:49 -0600)]
Update: Socket parameters, rename f_socket_bind_file() to f_socket_bind_local(), and return F_local_not when UNIX socket is required.
Make the f_socket_t passed to the f_socket_bind() and f_socket_bind_file() a pointer constant.
Use the f_socket_bind_local() rather than f_socket_bind_file() to better communicate that this is a local (UNIX) socket.
The f_socket_bind_local() requires the socket to be a local (UNIX) socket, so return F_local_not (with error bit) if it is not a local (UNIX) socket.
Kevin Day [Sun, 27 Feb 2022 01:33:59 +0000 (19:33 -0600)]
Bugfix: A Rule's "define" settings are not being exported.
The exporting of the define is never performed and needs to be.
This is a quick implementation.
I've added a TODO describing what I really want to do.
The improved implementation is to be addressed after the FLL-0.5.8 release.
Kevin Day [Sun, 27 Feb 2022 01:31:19 +0000 (19:31 -0600)]
Feature: Maps and Multi-Maps should support appending a single map rather than just an entire set.
This is really an oversight on my part.
The append should by default append a single item.
To append an entire set, a new function should be used (an append all function).
This should be done for all of the string types that are applicable.
Such changes are left for the next release and are not planed for the 0.5.8 release.
This functionality is necessary for bug fixes in the controller program.
Kevin Day [Sun, 27 Feb 2022 00:31:48 +0000 (18:31 -0600)]
Feature: Implement IKI support in controller program.
The functionality is designed to mimic some of the design used in Featureless Make in regards to IKI variables.
There are now "define", "parameter", and "program" IKI vocabularies available.
The "program" should probably have some sort of security property in an Entry to restrict its use.
There is a likelyhood of some design not wanting to expose the program parameters to the Rule.
I may also want to implement a "time" vocabulary in the future (likely to happen no sooner than FLL-0.5.0).
It appears that the define environment variables are not being exported as expected.
This is either an existing bug or a problem in the new feature.
Having reviewed this, I suspect that the problem is in the existing design.
A follow up commit will address this issue.
The --simulate and --test displays any loaded IKI variables.
Kevin Day [Sat, 26 Feb 2022 22:21:04 +0000 (16:21 -0600)]
Update: Delete socket rather than resize when array is over large.
I realized that this might be more performant.
If I have to resize the array because it is over large, then a resize could result in a copy of memory.
At this point in the program, the data is irrelevant.
I suspect deleting the array will perform better than resizing the array to a smaller size.
Kevin Day [Sat, 26 Feb 2022 17:20:01 +0000 (11:20 -0600)]
Security: Invalid va_arg() call resulting in overflow.
This overflow doesn't seem to cause crashes, which is even scarier as has gotten away with unnoticed.
The else condition inside of the formatted print functions are accidentally declaring va_arg() when it shouldn't.
The except_at and except_in are also being unnecessarily declared.
Kevin Day [Sat, 26 Feb 2022 16:50:26 +0000 (10:50 -0600)]
Security: The va_list has undefined behavior when passed into functions.
When the va_list is started using va_start(), the va_arg() must be called within the same function.
This is a design problem with how va_list and its respective functions are implemented.
The man pages directly document that passing an already started va_list to a function and then calling va_arg() is undefined.
The va_list, being a macro, might also be a pointer.
This makes passing it as a pointer (or with "const") risky.
Due to the mentioned undefined states and risks, this is considered and treated as a security issue.
Move the va_XXX() logic into a single function.
This unfortunately means some functions have to be expanded out into the code and deleted.
The code now, unfortunately, has more nested as a result of having to add more loops within the same function.
The va_copy() macro is used and so the ap list state is no longer changed outside of the function.
Kevin Day [Sat, 26 Feb 2022 05:04:47 +0000 (23:04 -0600)]
Bugfix: Improper IKI vocabulary position for when a quote is immediately to the left of the vocabulary name.
I distantly remember attempting to shorthand and optimize the logic to reduce the while loop usage.
This appears to have backfired in that I missed one of the possible conditions.
An example of this is the following bash command utilizing IKI substitution:
echo "IKI Path is 'define:"PATH"'"
In the aboce string, the bug is claining the IKI variable is "'define".
The quote is not a word charcter, not a dash, and not a plus.
The IKI vocabulary is supposed to be "define".
Redesign this back to have the multiple loops.
While this is messier, it should be harder to make a logic mistake.
Cleanup some of the logic to not need the private_f_iki_seek_special() function.
Make sure the width is always calculated prior to calling the UTF aware string functions.
Update wording in iki.txt specification to make a little more sense.
Kevin Day [Sat, 26 Feb 2022 04:58:24 +0000 (22:58 -0600)]
Bugfix: private_fl_print_convert_number() problems and do some cleanup.
The private_fl_print_convert_number() function stops either on non-diit, asterisk, or NULL.
The code is subtracting 1 from the string position.
This allows for the subsequent continue and resulting string increment to not overflow the buffer.
The problem happens when the stop position is a non-digit.
This non-digit is effectivly being skipped by this logic.
Change the logic to always return a position that will allow the subsequent increment without modification.
The position at function exit must never be pointing at NULL.
The position at function exit must never be pointing at a non-digit.
Use "++string" instead of "string += 1".
Change the structure to order from 8, 16, 32, 64, and 128.
projects / fll / log