~mdw / sgt / putty / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Missing assert.
[sgt/putty] / misc.c
1 /*
2 * Platform-independent routines shared between all PuTTY programs.
3 */
4
5 #include <stdio.h>
6 #include <stdlib.h>
7 #include <stdarg.h>
8 #include <limits.h>
9 #include <ctype.h>
10 #include <assert.h>
11 #include "putty.h"
12
13 /*
14 * Parse a string block size specification. This is approximately a
15 * subset of the block size specs supported by GNU fileutils:
16 * "nk" = n kilobytes
17 * "nM" = n megabytes
18 * "nG" = n gigabytes
19 * All numbers are decimal, and suffixes refer to powers of two.
20 * Case-insensitive.
21 */
22 unsigned long parse_blocksize(const char *bs)
23 {
24 char *suf;
25 unsigned long r = strtoul(bs, &suf, 10);
26 if (*suf != '\0') {
27 while (*suf && isspace((unsigned char)*suf)) suf++;
28 switch (*suf) {
29 case 'k': case 'K':
30 r *= 1024ul;
31 break;
32 case 'm': case 'M':
33 r *= 1024ul * 1024ul;
34 break;
35 case 'g': case 'G':
36 r *= 1024ul * 1024ul * 1024ul;
37 break;
38 case '\0':
39 default:
40 break;
41 }
42 }
43 return r;
44 }
45
46 /*
47 * Parse a ^C style character specification.
48 * Returns NULL in `next' if we didn't recognise it as a control character,
49 * in which case `c' should be ignored.
50 * The precise current parsing is an oddity inherited from the terminal
51 * answerback-string parsing code. All sequences start with ^; all except
52 * ^<123> are two characters. The ones that are worth keeping are probably:
53 * ^? 127
54 * ^@A-Z[\]^_ 0-31
55 * a-z 1-26
56 * <num> specified by number (decimal, 0octal, 0xHEX)
57 * ~ ^ escape
58 */
59 char ctrlparse(char *s, char **next)
60 {
61 char c = 0;
62 if (*s != '^') {
63 *next = NULL;
64 } else {
65 s++;
66 if (*s == '\0') {
67 *next = NULL;
68 } else if (*s == '<') {
69 s++;
70 c = (char)strtol(s, next, 0);
71 if ((*next == s) || (**next != '>')) {
72 c = 0;
73 *next = NULL;
74 } else
75 (*next)++;
76 } else if (*s >= 'a' && *s <= 'z') {
77 c = (*s - ('a' - 1));
78 *next = s+1;
79 } else if ((*s >= '@' && *s <= '_') || *s == '?' || (*s & 0x80)) {
80 c = ('@' ^ *s);
81 *next = s+1;
82 } else if (*s == '~') {
83 c = '^';
84 *next = s+1;
85 }
86 }
87 return c;
88 }
89
90 prompts_t *new_prompts(void *frontend)
91 {
92 prompts_t *p = snew(prompts_t);
93 p->prompts = NULL;
94 p->n_prompts = 0;
95 p->frontend = frontend;
96 p->data = NULL;
97 p->to_server = TRUE; /* to be on the safe side */
98 p->name = p->instruction = NULL;
99 p->name_reqd = p->instr_reqd = FALSE;
100 return p;
101 }
102 void add_prompt(prompts_t *p, char *promptstr, int echo)
103 {
104 prompt_t *pr = snew(prompt_t);
105 pr->prompt = promptstr;
106 pr->echo = echo;
107 pr->result = NULL;
108 pr->resultsize = 0;
109 p->n_prompts++;
110 p->prompts = sresize(p->prompts, p->n_prompts, prompt_t *);
111 p->prompts[p->n_prompts-1] = pr;
112 }
113 void prompt_ensure_result_size(prompt_t *pr, int newlen)
114 {
115 if ((int)pr->resultsize < newlen) {
116 char *newbuf;
117 newlen = newlen * 5 / 4 + 512; /* avoid too many small allocs */
118
119 /*
120 * We don't use sresize / realloc here, because we will be
121 * storing sensitive stuff like passwords in here, and we want
122 * to make sure that the data doesn't get copied around in
123 * memory without the old copy being destroyed.
124 */
125 newbuf = snewn(newlen, char);
126 memcpy(newbuf, pr->result, pr->resultsize);
127 smemclr(pr->result, pr->resultsize);
128 sfree(pr->result);
129 pr->result = newbuf;
130 pr->resultsize = newlen;
131 }
132 }
133 void prompt_set_result(prompt_t *pr, const char *newstr)
134 {
135 prompt_ensure_result_size(pr, strlen(newstr) + 1);
136 strcpy(pr->result, newstr);
137 }
138 void free_prompts(prompts_t *p)
139 {
140 size_t i;
141 for (i=0; i < p->n_prompts; i++) {
142 prompt_t *pr = p->prompts[i];
143 smemclr(pr->result, pr->resultsize); /* burn the evidence */
144 sfree(pr->result);
145 sfree(pr->prompt);
146 sfree(pr);
147 }
148 sfree(p->prompts);
149 sfree(p->name);
150 sfree(p->instruction);
151 sfree(p);
152 }
153
154 /* ----------------------------------------------------------------------
155 * String handling routines.
156 */
157
158 char *dupstr(const char *s)
159 {
160 char *p = NULL;
161 if (s) {
162 int len = strlen(s);
163 p = snewn(len + 1, char);
164 strcpy(p, s);
165 }
166 return p;
167 }
168
169 /* Allocate the concatenation of N strings. Terminate arg list with NULL. */
170 char *dupcat(const char *s1, ...)
171 {
172 int len;
173 char *p, *q, *sn;
174 va_list ap;
175
176 len = strlen(s1);
177 va_start(ap, s1);
178 while (1) {
179 sn = va_arg(ap, char *);
180 if (!sn)
181 break;
182 len += strlen(sn);
183 }
184 va_end(ap);
185
186 p = snewn(len + 1, char);
187 strcpy(p, s1);
188 q = p + strlen(p);
189
190 va_start(ap, s1);
191 while (1) {
192 sn = va_arg(ap, char *);
193 if (!sn)
194 break;
195 strcpy(q, sn);
196 q += strlen(q);
197 }
198 va_end(ap);
199
200 return p;
201 }
202
203 void burnstr(char *string) /* sfree(str), only clear it first */
204 {
205 if (string) {
206 smemclr(string, strlen(string));
207 sfree(string);
208 }
209 }
210
211 int toint(unsigned u)
212 {
213 /*
214 * Convert an unsigned to an int, without running into the
215 * undefined behaviour which happens by the strict C standard if
216 * the value overflows. You'd hope that sensible compilers would
217 * do the sensible thing in response to a cast, but actually I
218 * don't trust modern compilers not to do silly things like
219 * assuming that _obviously_ you wouldn't have caused an overflow
220 * and so they can elide an 'if (i < 0)' test immediately after
221 * the cast.
222 *
223 * Sensible compilers ought of course to optimise this entire
224 * function into 'just return the input value'!
225 */
226 if (u <= (unsigned)INT_MAX)
227 return (int)u;
228 else if (u >= (unsigned)INT_MIN) /* wrap in cast _to_ unsigned is OK */
229 return INT_MIN + (int)(u - (unsigned)INT_MIN);
230 else
231 return INT_MIN; /* fallback; should never occur on binary machines */
232 }
233
234 /*
235 * Do an sprintf(), but into a custom-allocated buffer.
236 *
237 * Currently I'm doing this via vsnprintf. This has worked so far,
238 * but it's not good, because vsnprintf is not available on all
239 * platforms. There's an ifdef to use `_vsnprintf', which seems
240 * to be the local name for it on Windows. Other platforms may
241 * lack it completely, in which case it'll be time to rewrite
242 * this function in a totally different way.
243 *
244 * The only `properly' portable solution I can think of is to
245 * implement my own format string scanner, which figures out an
246 * upper bound for the length of each formatting directive,
247 * allocates the buffer as it goes along, and calls sprintf() to
248 * actually process each directive. If I ever need to actually do
249 * this, some caveats:
250 *
251 * - It's very hard to find a reliable upper bound for
252 * floating-point values. %f, in particular, when supplied with
253 * a number near to the upper or lower limit of representable
254 * numbers, could easily take several hundred characters. It's
255 * probably feasible to predict this statically using the
256 * constants in <float.h>, or even to predict it dynamically by
257 * looking at the exponent of the specific float provided, but
258 * it won't be fun.
259 *
260 * - Don't forget to _check_, after calling sprintf, that it's
261 * used at most the amount of space we had available.
262 *
263 * - Fault any formatting directive we don't fully understand. The
264 * aim here is to _guarantee_ that we never overflow the buffer,
265 * because this is a security-critical function. If we see a
266 * directive we don't know about, we should panic and die rather
267 * than run any risk.
268 */
269 char *dupprintf(const char *fmt, ...)
270 {
271 char *ret;
272 va_list ap;
273 va_start(ap, fmt);
274 ret = dupvprintf(fmt, ap);
275 va_end(ap);
276 return ret;
277 }
278 char *dupvprintf(const char *fmt, va_list ap)
279 {
280 char *buf;
281 int len, size;
282
283 buf = snewn(512, char);
284 size = 512;
285
286 while (1) {
287 #ifdef _WINDOWS
288 #define vsnprintf _vsnprintf
289 #endif
290 #ifdef va_copy
291 /* Use the `va_copy' macro mandated by C99, if present.
292 * XXX some environments may have this as __va_copy() */
293 va_list aq;
294 va_copy(aq, ap);
295 len = vsnprintf(buf, size, fmt, aq);
296 va_end(aq);
297 #else
298 /* Ugh. No va_copy macro, so do something nasty.
299 * Technically, you can't reuse a va_list like this: it is left
300 * unspecified whether advancing a va_list pointer modifies its
301 * value or something it points to, so on some platforms calling
302 * vsnprintf twice on the same va_list might fail hideously
303 * (indeed, it has been observed to).
304 * XXX the autoconf manual suggests that using memcpy() will give
305 * "maximum portability". */
306 len = vsnprintf(buf, size, fmt, ap);
307 #endif
308 if (len >= 0 && len < size) {
309 /* This is the C99-specified criterion for snprintf to have
310 * been completely successful. */
311 return buf;
312 } else if (len > 0) {
313 /* This is the C99 error condition: the returned length is
314 * the required buffer size not counting the NUL. */
315 size = len + 1;
316 } else {
317 /* This is the pre-C99 glibc error condition: <0 means the
318 * buffer wasn't big enough, so we enlarge it a bit and hope. */
319 size += 512;
320 }
321 buf = sresize(buf, size, char);
322 }
323 }
324
325 /*
326 * Read an entire line of text from a file. Return a buffer
327 * malloced to be as big as necessary (caller must free).
328 */
329 char *fgetline(FILE *fp)
330 {
331 char *ret = snewn(512, char);
332 int size = 512, len = 0;
333 while (fgets(ret + len, size - len, fp)) {
334 len += strlen(ret + len);
335 if (ret[len-1] == '\n')
336 break; /* got a newline, we're done */
337 size = len + 512;
338 ret = sresize(ret, size, char);
339 }
340 if (len == 0) { /* first fgets returned NULL */
341 sfree(ret);
342 return NULL;
343 }
344 ret[len] = '\0';
345 return ret;
346 }
347
348 /* ----------------------------------------------------------------------
349 * Base64 encoding routine. This is required in public-key writing
350 * but also in HTTP proxy handling, so it's centralised here.
351 */
352
353 void base64_encode_atom(unsigned char *data, int n, char *out)
354 {
355 static const char base64_chars[] =
356 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
357
358 unsigned word;
359
360 word = data[0] << 16;
361 if (n > 1)
362 word |= data[1] << 8;
363 if (n > 2)
364 word |= data[2];
365 out[0] = base64_chars[(word >> 18) & 0x3F];
366 out[1] = base64_chars[(word >> 12) & 0x3F];
367 if (n > 1)
368 out[2] = base64_chars[(word >> 6) & 0x3F];
369 else
370 out[2] = '=';
371 if (n > 2)
372 out[3] = base64_chars[word & 0x3F];
373 else
374 out[3] = '=';
375 }
376
377 /* ----------------------------------------------------------------------
378 * Generic routines to deal with send buffers: a linked list of
379 * smallish blocks, with the operations
380 *
381 * - add an arbitrary amount of data to the end of the list
382 * - remove the first N bytes from the list
383 * - return a (pointer,length) pair giving some initial data in
384 * the list, suitable for passing to a send or write system
385 * call
386 * - retrieve a larger amount of initial data from the list
387 * - return the current size of the buffer chain in bytes
388 */
389
390 #define BUFFER_MIN_GRANULE 512
391
392 struct bufchain_granule {
393 struct bufchain_granule *next;
394 char *bufpos, *bufend, *bufmax;
395 };
396
397 void bufchain_init(bufchain *ch)
398 {
399 ch->head = ch->tail = NULL;
400 ch->buffersize = 0;
401 }
402
403 void bufchain_clear(bufchain *ch)
404 {
405 struct bufchain_granule *b;
406 while (ch->head) {
407 b = ch->head;
408 ch->head = ch->head->next;
409 sfree(b);
410 }
411 ch->tail = NULL;
412 ch->buffersize = 0;
413 }
414
415 int bufchain_size(bufchain *ch)
416 {
417 return ch->buffersize;
418 }
419
420 void bufchain_add(bufchain *ch, const void *data, int len)
421 {
422 const char *buf = (const char *)data;
423
424 if (len == 0) return;
425
426 ch->buffersize += len;
427
428 while (len > 0) {
429 if (ch->tail && ch->tail->bufend < ch->tail->bufmax) {
430 int copylen = min(len, ch->tail->bufmax - ch->tail->bufend);
431 memcpy(ch->tail->bufend, buf, copylen);
432 buf += copylen;
433 len -= copylen;
434 ch->tail->bufend += copylen;
435 }
436 if (len > 0) {
437 int grainlen =
438 max(sizeof(struct bufchain_granule) + len, BUFFER_MIN_GRANULE);
439 struct bufchain_granule *newbuf;
440 newbuf = smalloc(grainlen);
441 newbuf->bufpos = newbuf->bufend =
442 (char *)newbuf + sizeof(struct bufchain_granule);
443 newbuf->bufmax = (char *)newbuf + grainlen;
444 newbuf->next = NULL;
445 if (ch->tail)
446 ch->tail->next = newbuf;
447 else
448 ch->head = newbuf;
449 ch->tail = newbuf;
450 }
451 }
452 }
453
454 void bufchain_consume(bufchain *ch, int len)
455 {
456 struct bufchain_granule *tmp;
457
458 assert(ch->buffersize >= len);
459 while (len > 0) {
460 int remlen = len;
461 assert(ch->head != NULL);
462 if (remlen >= ch->head->bufend - ch->head->bufpos) {
463 remlen = ch->head->bufend - ch->head->bufpos;
464 tmp = ch->head;
465 ch->head = tmp->next;
466 if (!ch->head)
467 ch->tail = NULL;
468 sfree(tmp);
469 } else
470 ch->head->bufpos += remlen;
471 ch->buffersize -= remlen;
472 len -= remlen;
473 }
474 }
475
476 void bufchain_prefix(bufchain *ch, void **data, int *len)
477 {
478 *len = ch->head->bufend - ch->head->bufpos;
479 *data = ch->head->bufpos;
480 }
481
482 void bufchain_fetch(bufchain *ch, void *data, int len)
483 {
484 struct bufchain_granule *tmp;
485 char *data_c = (char *)data;
486
487 tmp = ch->head;
488
489 assert(ch->buffersize >= len);
490 while (len > 0) {
491 int remlen = len;
492
493 assert(tmp != NULL);
494 if (remlen >= tmp->bufend - tmp->bufpos)
495 remlen = tmp->bufend - tmp->bufpos;
496 memcpy(data_c, tmp->bufpos, remlen);
497
498 tmp = tmp->next;
499 len -= remlen;
500 data_c += remlen;
501 }
502 }
503
504 /* ----------------------------------------------------------------------
505 * My own versions of malloc, realloc and free. Because I want
506 * malloc and realloc to bomb out and exit the program if they run
507 * out of memory, realloc to reliably call malloc if passed a NULL
508 * pointer, and free to reliably do nothing if passed a NULL
509 * pointer. We can also put trace printouts in, if we need to; and
510 * we can also replace the allocator with an ElectricFence-like
511 * one.
512 */
513
514 #ifdef MINEFIELD
515 void *minefield_c_malloc(size_t size);
516 void minefield_c_free(void *p);
517 void *minefield_c_realloc(void *p, size_t size);
518 #endif
519
520 #ifdef MALLOC_LOG
521 static FILE *fp = NULL;
522
523 static char *mlog_file = NULL;
524 static int mlog_line = 0;
525
526 void mlog(char *file, int line)
527 {
528 mlog_file = file;
529 mlog_line = line;
530 if (!fp) {
531 fp = fopen("putty_mem.log", "w");
532 setvbuf(fp, NULL, _IONBF, BUFSIZ);
533 }
534 if (fp)
535 fprintf(fp, "%s:%d: ", file, line);
536 }
537 #endif
538
539 void *safemalloc(size_t n, size_t size)
540 {
541 void *p;
542
543 if (n > INT_MAX / size) {
544 p = NULL;
545 } else {
546 size *= n;
547 if (size == 0) size = 1;
548 #ifdef MINEFIELD
549 p = minefield_c_malloc(size);
550 #else
551 p = malloc(size);
552 #endif
553 }
554
555 if (!p) {
556 char str[200];
557 #ifdef MALLOC_LOG
558 sprintf(str, "Out of memory! (%s:%d, size=%d)",
559 mlog_file, mlog_line, size);
560 fprintf(fp, "*** %s\n", str);
561 fclose(fp);
562 #else
563 strcpy(str, "Out of memory!");
564 #endif
565 modalfatalbox(str);
566 }
567 #ifdef MALLOC_LOG
568 if (fp)
569 fprintf(fp, "malloc(%d) returns %p\n", size, p);
570 #endif
571 return p;
572 }
573
574 void *saferealloc(void *ptr, size_t n, size_t size)
575 {
576 void *p;
577
578 if (n > INT_MAX / size) {
579 p = NULL;
580 } else {
581 size *= n;
582 if (!ptr) {
583 #ifdef MINEFIELD
584 p = minefield_c_malloc(size);
585 #else
586 p = malloc(size);
587 #endif
588 } else {
589 #ifdef MINEFIELD
590 p = minefield_c_realloc(ptr, size);
591 #else
592 p = realloc(ptr, size);
593 #endif
594 }
595 }
596
597 if (!p) {
598 char str[200];
599 #ifdef MALLOC_LOG
600 sprintf(str, "Out of memory! (%s:%d, size=%d)",
601 mlog_file, mlog_line, size);
602 fprintf(fp, "*** %s\n", str);
603 fclose(fp);
604 #else
605 strcpy(str, "Out of memory!");
606 #endif
607 modalfatalbox(str);
608 }
609 #ifdef MALLOC_LOG
610 if (fp)
611 fprintf(fp, "realloc(%p,%d) returns %p\n", ptr, size, p);
612 #endif
613 return p;
614 }
615
616 void safefree(void *ptr)
617 {
618 if (ptr) {
619 #ifdef MALLOC_LOG
620 if (fp)
621 fprintf(fp, "free(%p)\n", ptr);
622 #endif
623 #ifdef MINEFIELD
624 minefield_c_free(ptr);
625 #else
626 free(ptr);
627 #endif
628 }
629 #ifdef MALLOC_LOG
630 else if (fp)
631 fprintf(fp, "freeing null pointer - no action taken\n");
632 #endif
633 }
634
635 /* ----------------------------------------------------------------------
636 * Debugging routines.
637 */
638
639 #ifdef DEBUG
640 extern void dputs(char *); /* defined in per-platform *misc.c */
641
642 void debug_printf(char *fmt, ...)
643 {
644 char *buf;
645 va_list ap;
646
647 va_start(ap, fmt);
648 buf = dupvprintf(fmt, ap);
649 dputs(buf);
650 sfree(buf);
651 va_end(ap);
652 }
653
654
655 void debug_memdump(void *buf, int len, int L)
656 {
657 int i;
658 unsigned char *p = buf;
659 char foo[17];
660 if (L) {
661 int delta;
662 debug_printf("\t%d (0x%x) bytes:\n", len, len);
663 delta = 15 & (unsigned long int) p;
664 p -= delta;
665 len += delta;
666 }
667 for (; 0 < len; p += 16, len -= 16) {
668 dputs(" ");
669 if (L)
670 debug_printf("%p: ", p);
671 strcpy(foo, "................"); /* sixteen dots */
672 for (i = 0; i < 16 && i < len; ++i) {
673 if (&p[i] < (unsigned char *) buf) {
674 dputs(" "); /* 3 spaces */
675 foo[i] = ' ';
676 } else {
677 debug_printf("%c%02.2x",
678 &p[i] != (unsigned char *) buf
679 && i % 4 ? '.' : ' ', p[i]
680 );
681 if (p[i] >= ' ' && p[i] <= '~')
682 foo[i] = (char) p[i];
683 }
684 }
685 foo[i] = '\0';
686 debug_printf("%*s%s\n", (16 - i) * 3 + 2, "", foo);
687 }
688 }
689
690 #endif /* def DEBUG */
691
692 /*
693 * Determine whether or not a Conf represents a session which can
694 * sensibly be launched right now.
695 */
696 int conf_launchable(Conf *conf)
697 {
698 if (conf_get_int(conf, CONF_protocol) == PROT_SERIAL)
699 return conf_get_str(conf, CONF_serline)[0] != 0;
700 else
701 return conf_get_str(conf, CONF_host)[0] != 0;
702 }
703
704 char const *conf_dest(Conf *conf)
705 {
706 if (conf_get_int(conf, CONF_protocol) == PROT_SERIAL)
707 return conf_get_str(conf, CONF_serline);
708 else
709 return conf_get_str(conf, CONF_host);
710 }
711
712 #ifndef PLATFORM_HAS_SMEMCLR
713 /*
714 * Securely wipe memory.
715 *
716 * The actual wiping is no different from what memset would do: the
717 * point of 'securely' is to try to be sure over-clever compilers
718 * won't optimise away memsets on variables that are about to be freed
719 * or go out of scope. See
720 * https://buildsecurityin.us-cert.gov/bsi-rules/home/g1/771-BSI.html
721 *
722 * Some platforms (e.g. Windows) may provide their own version of this
723 * function.
724 */
725 void smemclr(void *b, size_t n) {
726 volatile char *vp;
727
728 if (b && n > 0) {
729 /*
730 * Zero out the memory.
731 */
732 memset(b, 0, n);
733
734 /*
735 * Perform a volatile access to the object, forcing the
736 * compiler to admit that the previous memset was important.
737 *
738 * This while loop should in practice run for zero iterations
739 * (since we know we just zeroed the object out), but in
740 * theory (as far as the compiler knows) it might range over
741 * the whole object. (If we had just written, say, '*vp =
742 * *vp;', a compiler could in principle have 'helpfully'
743 * optimised the memset into only zeroing out the first byte.
744 * This should be robust.)
745 */
746 vp = b;
747 while (*vp) vp++;
748 }
749 }
750 #endif
Simon Tatham's PuTTY GUI SSH client; import of svn://svn.tartarus.org/sgt/putty