mirror of
https://github.com/opnsense/src.git
synced 2026-02-23 18:00:31 -05:00
644d814471
An overread condition in memccpy(dst, src, c, len) would occur if
src does not cross a 16 byte boundary and there is no instance of
c between *src and the next 16 byte boundary. This could cause a
read fault if src is just before the end of a page and the next page
is unmapped or unreadable.
The bug is a consequence of basing memccpy() on the strlcpy() code:
whereas strlcpy() assumes that src is a nul-terminated string and
hence a terminator is always present, c may not be present at all in
the source string. It was not caught earlier due to insufficient
unit test design.
As a part of the fix, the function is refactored such that the runt
case (buffer length from last alignment boundary between 1 and 32 B)
is handled separately. This reduces the number of conditional
branches on all code paths and simplifies the handling of early
matches in the non-runt case. Performance is improved slightly.
os: FreeBSD
arch: amd64
cpu: 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz
│ memccpy.unfixed.out │ memccpy.fixed.out │
│ sec/op │ sec/op vs base │
Short 66.76µ ± 0% 62.45µ ± 1% -6.44% (p=0.000 n=20)
Mid 7.938µ ± 0% 7.967µ ± 0% +0.36% (p=0.001 n=20)
Long 3.577µ ± 0% 3.577µ ± 0% ~ (p=0.429 n=20)
geomean 12.38µ 12.12µ -2.08%
│ memccpy.unfixed.out │ memccpy.fixed.out │
│ B/s │ B/s vs base │
Short 1.744Gi ± 0% 1.864Gi ± 1% +6.89% (p=0.000 n=20)
Mid 14.67Gi ± 0% 14.61Gi ± 0% -0.36% (p=0.001 n=20)
Long 32.55Gi ± 0% 32.55Gi ± 0% ~ (p=0.429 n=20)
geomean 9.407Gi 9.606Gi +2.12%
Reported by: getz
Reviewed by: getz
Approved by: mjg (blanket, via IRC)
See also: D46051
MFC: stable/14
Event: GSoC 2024
Differential Revision: https://reviews.freebsd.org/D46052
|
||
|---|---|---|
| .. | ||
| amd64_archlevel.c | ||
| bcmp.S | ||
| bcopy.c | ||
| bzero.c | ||
| Makefile.inc | ||
| memccpy.S | ||
| memchr.S | ||
| memcmp.S | ||
| memcpy.S | ||
| memmove.S | ||
| memrchr.S | ||
| memset.S | ||
| stpcpy.S | ||
| stpncpy.S | ||
| strcat.S | ||
| strchrnul.S | ||
| strcmp.S | ||
| strcpy.c | ||
| strcspn.S | ||
| strlcat.c | ||
| strlcpy.S | ||
| strlen.S | ||
| strncat.c | ||
| strncmp.S | ||
| strncpy.c | ||
| strnlen.c | ||
| strpbrk.c | ||
| strrchr.S | ||
| strsep.c | ||
| strspn.S | ||
| timingsafe_bcmp.S | ||
| timingsafe_memcmp.S | ||