| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87jz3g930q.fsf@kernel.org>
Date: Wed, 06 Aug 2025 12:07:49 +0200
From: Andreas Hindborg <a.hindborg@...nel.org>
To: Alice Ryhl <aliceryhl@...gle.com>
Cc: Boqun Feng <boqun.feng@...il.com>, Miguel Ojeda <ojeda@...nel.org>, Alex
Gaynor <alex.gaynor@...il.com>, Gary Guo <gary@...yguo.net>, Björn Roy
Baron <bjorn3_gh@...tonmail.com>, Benno Lossin <lossin@...nel.org>, Trevor
Gross <tmgross@...ch.edu>, Danilo Krummrich <dakr@...nel.org>, Jens Axboe
<axboe@...nel.dk>, linux-block@...r.kernel.org,
rust-for-linux@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 05/16] rust: str: introduce `NullTerminatedFormatter`
"Alice Ryhl" <aliceryhl@...gle.com> writes:
> On Fri, Jul 11, 2025 at 01:43:06PM +0200, Andreas Hindborg wrote:
>> Add `NullTerminatedFormatter`, a formatter that writes a null terminated
>> string to an array or slice buffer. Because this type needs to manage the
>> trailing null marker, the existing formatters cannot be used to implement
>> this type.
>>
>> Signed-off-by: Andreas Hindborg <a.hindborg@...nel.org>
>> ---
>> rust/kernel/str.rs | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
>> 1 file changed, 50 insertions(+)
>>
>> diff --git a/rust/kernel/str.rs b/rust/kernel/str.rs
>> index b1bc584803b0..c58925438c6e 100644
>> --- a/rust/kernel/str.rs
>> +++ b/rust/kernel/str.rs
>> @@ -838,6 +838,56 @@ fn write_str(&mut self, s: &str) -> fmt::Result {
>> }
>> }
>>
>> +/// A mutable reference to a byte buffer where a string can be written into.
>> +///
>> +/// The buffer will be automatically null terminated after the last written character.
>> +///
>> +/// # Invariants
>> +///
>> +/// `buffer` is always null terminated.
>
> Since you modify the buffer range, the actual invariant is that the
> first byte of `buffer` is zero.
It is still null terminated, although your suggestion is more precise.
>
>> +pub(crate) struct NullTerminatedFormatter<'a> {
>
> Isn't it called "nul" rather than "null"? My understanding is that
> "null" is for the pointer case, and "nul" is the name of the ascii
> character at codepoint zero.
I don't know. I did a quick internet search but got no definitive
answer. Wikipedia says "Null character" [1].
[1] https://en.wikipedia.org/wiki/Null_character
>
>> + buffer: &'a mut [u8],
>> +}
>> +
>> +impl<'a> NullTerminatedFormatter<'a> {
>> + /// Create a new [`Self`] instance.
>> + pub(crate) fn new(buffer: &'a mut [u8]) -> Option<NullTerminatedFormatter<'a>> {
>> + *(buffer.first_mut()?) = 0;
>> +
>> + // INVARIANT: We null terminated the buffer above.
>> + Some(Self { buffer })
>> + }
>> +
>> + #[expect(dead_code)]
>> + pub(crate) fn from_array<const N: usize>(
>> + buffer: &'a mut [crate::ffi::c_char; N],
>> + ) -> Option<NullTerminatedFormatter<'a>> {
>
> Can't you just call `::new` where you use this method?
Yes, this can be elided, thanks.
>
>> + Self::new(buffer)
>> + }
>> +}
>> +
>> +impl Write for NullTerminatedFormatter<'_> {
>> + fn write_str(&mut self, s: &str) -> fmt::Result {
>> + let bytes = s.as_bytes();
>> + let len = bytes.len();
>> +
>> + // We want space for a null terminator. Buffer length is always at least 1, so no overflow.
>
> overflow -> underflow
Coming from a computer architecture background, these are the same to
me. Also, core has `u16::overflowing_sub` [2].
[2] https://doc.rust-lang.org/stable/core/primitive.u16.html#method.overflowing_sub
>
>> + if len > self.buffer.len() - 1 {
>
> this is just `len >= self.buffer.len()`.
It is, but is it better?
Best regards,
Andreas Hindborg
Powered by blists - more mailing lists