| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aHYiK1cr3I_ShQU2@google.com>
Date: Tue, 15 Jul 2025 09:40:59 +0000
From: Alice Ryhl <aliceryhl@...gle.com>
To: Andreas Hindborg <a.hindborg@...nel.org>
Cc: Boqun Feng <boqun.feng@...il.com>, Miguel Ojeda <ojeda@...nel.org>,
Alex Gaynor <alex.gaynor@...il.com>, Gary Guo <gary@...yguo.net>,
"Björn Roy Baron" <bjorn3_gh@...tonmail.com>, Benno Lossin <lossin@...nel.org>,
Trevor Gross <tmgross@...ch.edu>, Danilo Krummrich <dakr@...nel.org>, Jens Axboe <axboe@...nel.dk>,
linux-block@...r.kernel.org, rust-for-linux@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 05/16] rust: str: introduce `NullTerminatedFormatter`
On Fri, Jul 11, 2025 at 01:43:06PM +0200, Andreas Hindborg wrote:
> Add `NullTerminatedFormatter`, a formatter that writes a null terminated
> string to an array or slice buffer. Because this type needs to manage the
> trailing null marker, the existing formatters cannot be used to implement
> this type.
>
> Signed-off-by: Andreas Hindborg <a.hindborg@...nel.org>
> ---
> rust/kernel/str.rs | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 50 insertions(+)
>
> diff --git a/rust/kernel/str.rs b/rust/kernel/str.rs
> index b1bc584803b0..c58925438c6e 100644
> --- a/rust/kernel/str.rs
> +++ b/rust/kernel/str.rs
> @@ -838,6 +838,56 @@ fn write_str(&mut self, s: &str) -> fmt::Result {
> }
> }
>
> +/// A mutable reference to a byte buffer where a string can be written into.
> +///
> +/// The buffer will be automatically null terminated after the last written character.
> +///
> +/// # Invariants
> +///
> +/// `buffer` is always null terminated.
Since you modify the buffer range, the actual invariant is that the
first byte of `buffer` is zero.
> +pub(crate) struct NullTerminatedFormatter<'a> {
Isn't it called "nul" rather than "null"? My understanding is that
"null" is for the pointer case, and "nul" is the name of the ascii
character at codepoint zero.
> + buffer: &'a mut [u8],
> +}
> +
> +impl<'a> NullTerminatedFormatter<'a> {
> + /// Create a new [`Self`] instance.
> + pub(crate) fn new(buffer: &'a mut [u8]) -> Option<NullTerminatedFormatter<'a>> {
> + *(buffer.first_mut()?) = 0;
> +
> + // INVARIANT: We null terminated the buffer above.
> + Some(Self { buffer })
> + }
> +
> + #[expect(dead_code)]
> + pub(crate) fn from_array<const N: usize>(
> + buffer: &'a mut [crate::ffi::c_char; N],
> + ) -> Option<NullTerminatedFormatter<'a>> {
Can't you just call `::new` where you use this method?
> + Self::new(buffer)
> + }
> +}
> +
> +impl Write for NullTerminatedFormatter<'_> {
> + fn write_str(&mut self, s: &str) -> fmt::Result {
> + let bytes = s.as_bytes();
> + let len = bytes.len();
> +
> + // We want space for a null terminator. Buffer length is always at least 1, so no overflow.
overflow -> underflow
> + if len > self.buffer.len() - 1 {
this is just `len >= self.buffer.len()`.
> + return Err(fmt::Error);
> + }
> +
> + let buffer = core::mem::take(&mut self.buffer);
> + // We break the null termination invariant for a short while.
> + buffer[..len].copy_from_slice(bytes);
> + self.buffer = &mut buffer[len..];
> +
> + // INVARIANT: We null terminate the buffer.
> + self.buffer[0] = 0;
> +
> + Ok(())
> + }
> +}
> +
> /// An owned string that is guaranteed to have exactly one `NUL` byte, which is at the end.
> ///
> /// Used for interoperability with kernel APIs that take C strings.
>
> --
> 2.47.2
>
>
Powered by blists - more mailing lists