Prevent TOCTTOU bugs in C ports

* libguile/ports-internal.h (scm_port_buffer_can_take): (scm_port_buffer_can_put): Add cur/end output arguments so that when a caller asks the buffer room, it can be relative to a fixed point in the buffer and not whatever point it's at when we go to fill it. (scm_port_buffer_did_take, scm_port_buffer_did_put): Similarly, require that the caller knows where they took/put data in the buffer. Prevents overflow. (scm_port_buffer_take_pointer, scm_port_buffer_put_pointer): Likewise, require that the caller has already checked and knows a position in the buffer and therefore how much data is available. (scm_port_buffer_take, scm_port_buffer_put, scm_port_buffer_putback): Adapt. * libguile/ports.h (scm_fill_input): Add cur/avail output arguments. * libguile/filesys.c: * libguile/poll.c: * libguile/ports.c: * libguile/r6rs-ports.c: * libguile/read.c: * libguile/rw.c: Adapt all callers. Gnarly work!
2025-06-17 01:00:20 +02:00 · 2017-02-08 15:05:03 +01:00 · 2017-02-08 15:05:03 +01:00 · 09a69dd712
commit 09a69dd712
parent 8a4774dec8
8 changed files with 251 additions and 176 deletions
--- a/libguile/poll.c
+++ b/libguile/poll.c
@ -108,12 +108,13 @@ scm_primitive_poll (SCM pollfds, SCM nfds, SCM ports, SCM timeout)
          else
            {
              scm_t_port *pt = SCM_PORT (port);
+              size_t tmp;

-              if (scm_port_buffer_can_take (pt->read_buf) > 0)
+              if (scm_port_buffer_can_take (pt->read_buf, &tmp) > 0)
                /* Buffered input waiting to be read. */
                revents |= POLLIN;
              if (SCM_OUTPUT_PORT_P (port)
-                  && scm_port_buffer_can_put (pt->write_buf) > 1)
+                  && scm_port_buffer_can_put (pt->write_buf, &tmp) > 1)
                /* Buffered output possible.  The "> 1" is because
                   writing the last byte would flush the port.  */
                revents |= POLLOUT;
@ -146,12 +147,13 @@ scm_primitive_poll (SCM pollfds, SCM nfds, SCM ports, SCM timeout)
            else
              {
                scm_t_port *pt = SCM_PORT (port);
+                size_t tmp;

-                if (scm_port_buffer_can_take (pt->read_buf) > 0)
+                if (scm_port_buffer_can_take (pt->read_buf, &tmp) > 0)
                  /* Buffered input waiting to be read. */
                  revents |= POLLIN;
                if (SCM_OUTPUT_PORT_P (port)
-                    && scm_port_buffer_can_put (pt->write_buf) > 1)
+                    && scm_port_buffer_can_put (pt->write_buf, &tmp) > 1)
                  /* Buffered output possible.  The "> 1" is because
                     writing the last byte would flush the port.  */
                  revents |= POLLOUT;