ssp: fix our gets_s implementation under _FORTIFY_SOURCE

Annex K specifies an interface for handling constraint violations from
gets_s, but we previously broke this for some classes of get_s misuse.

Provide a more nuanced version that tries to dodge errors that would
trigger a constraint handler while still providing value.  Notably, we
don't want to trigger a failure unless the passed-in length reasonably
fits within an RSIZE_MAX, because gets_s will immediately call larger
lengths bogus and fail.

PR:		294881
Reviewed by:	markj
Differential Revision:	https://reviews.freebsd.org/D56734

1 files changed, 29 insertions, 1 deletions

diff --git a/include/ssp/stdio.h b/include/ssp/stdio.h
index 630683951e4b..17bda8d3ee2d 100644
--- a/include/ssp/stdio.h
+++ b/include/ssp/stdio.h
@@ -36,6 +36,10 @@
 
 #include <ssp/ssp.h>
 
+#if __SSP_FORTIFY_LEVEL > 0 && __EXT1_VISIBLE
+#include <sys/stdint.h>
+#endif
+
 __BEGIN_DECLS
 #if __SSP_FORTIFY_LEVEL > 0
 #if __POSIX_VISIBLE
@@ -51,7 +55,31 @@ __ssp_redirect(size_t, fread, (void *__restrict __buf, size_t __len,
 __ssp_redirect(size_t, fread_unlocked, (void *__restrict __buf, size_t __len,
     size_t __nmemb, FILE *__restrict __fp), (__buf, __len, __nmemb, __fp));
 #if __EXT1_VISIBLE
-__ssp_redirect(char *, gets_s, (char *__buf, rsize_t __len), (__buf, __len));
+__ssp_redirect_raw_impl(char *, gets_s, gets_s,
+    (char *buf, rsize_t len))
+{
+	char *retbuf;
+	size_t bufsz;
+	int need_fail = 0;
+
+	/*
+	 * If we would have overwritten our buffer, we want to fail the check
+	 * only if these arguments wouldn't have triggered a constraint
+	 * violation.
+	 */
+	bufsz = __ssp_bos(buf);
+	if (bufsz != (size_t)-1 && (size_t)len > bufsz) {
+		if (len <= RSIZE_MAX)
+			__chk_fail();
+		need_fail = 1;
+	}
+
+	retbuf = __ssp_real(gets_s)(buf, len);
+	if (need_fail && retbuf != NULL)
+		__chk_fail();
+	return (retbuf);
+}
+
 #endif /* __EXT1_VISIBLE */
 __ssp_redirect_raw(char *, tmpnam, tmpnam, (char *__buf), (__buf), 1,
     __ssp_bos, L_tmpnam);