1<html lang="en"> 2<head> 3<title>Object Size Checking - Using the GNU Compiler Collection (GCC)</title> 4<meta http-equiv="Content-Type" content="text/html"> 5<meta name="description" content="Using the GNU Compiler Collection (GCC)"> 6<meta name="generator" content="makeinfo 4.13"> 7<link title="Top" rel="start" href="index.html#Top"> 8<link rel="up" href="C-Extensions.html#C-Extensions" title="C Extensions"> 9<link rel="prev" href="Atomic-Builtins.html#Atomic-Builtins" title="Atomic Builtins"> 10<link rel="next" href="Other-Builtins.html#Other-Builtins" title="Other Builtins"> 11<link href="http://www.gnu.org/software/texinfo/" rel="generator-home" title="Texinfo Homepage"> 12<!-- 13Copyright (C) 1988, 1989, 1992, 1993, 1994, 1995, 1996, 1997, 141998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 152010 Free Software Foundation, Inc. 16 17Permission is granted to copy, distribute and/or modify this document 18under the terms of the GNU Free Documentation License, Version 1.3 or 19any later version published by the Free Software Foundation; with the 20Invariant Sections being ``Funding Free Software'', the Front-Cover 21Texts being (a) (see below), and with the Back-Cover Texts being (b) 22(see below). A copy of the license is included in the section entitled 23``GNU Free Documentation License''. 24 25(a) The FSF's Front-Cover Text is: 26 27 A GNU Manual 28 29(b) The FSF's Back-Cover Text is: 30 31 You have freedom to copy and modify this GNU Manual, like GNU 32 software. Copies published by the Free Software Foundation raise 33 funds for GNU development.--> 34<meta http-equiv="Content-Style-Type" content="text/css"> 35<style type="text/css"><!-- 36 pre.display { font-family:inherit } 37 pre.format { font-family:inherit } 38 pre.smalldisplay { font-family:inherit; font-size:smaller } 39 pre.smallformat { font-family:inherit; font-size:smaller } 40 pre.smallexample { font-size:smaller } 41 pre.smalllisp { font-size:smaller } 42 span.sc { font-variant:small-caps } 43 span.roman { font-family:serif; font-weight:normal; } 44 span.sansserif { font-family:sans-serif; font-weight:normal; } 45--></style> 46<link rel="stylesheet" type="text/css" href="../cs.css"> 47</head> 48<body> 49<div class="node"> 50<a name="Object-Size-Checking"></a> 51<p> 52Next: <a rel="next" accesskey="n" href="Other-Builtins.html#Other-Builtins">Other Builtins</a>, 53Previous: <a rel="previous" accesskey="p" href="Atomic-Builtins.html#Atomic-Builtins">Atomic Builtins</a>, 54Up: <a rel="up" accesskey="u" href="C-Extensions.html#C-Extensions">C Extensions</a> 55<hr> 56</div> 57 58<h3 class="section">6.52 Object Size Checking Builtins</h3> 59 60<p><a name="index-g_t_005f_005fbuiltin_005fobject_005fsize-2724"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fmemcpy_005fchk-2725"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fmempcpy_005fchk-2726"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fmemmove_005fchk-2727"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fmemset_005fchk-2728"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fstrcpy_005fchk-2729"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fstpcpy_005fchk-2730"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fstrncpy_005fchk-2731"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fstrcat_005fchk-2732"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fstrncat_005fchk-2733"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fsprintf_005fchk-2734"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fsnprintf_005fchk-2735"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fvsprintf_005fchk-2736"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fvsnprintf_005fchk-2737"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fprintf_005fchk-2738"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fvprintf_005fchk-2739"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005ffprintf_005fchk-2740"></a><a name="index-g_t_005f_005fbuiltin_005f_005f_005fvfprintf_005fchk-2741"></a> 61GCC implements a limited buffer overflow protection mechanism 62that can prevent some buffer overflow attacks. 63 64<div class="defun"> 65— Built-in Function: size_t <b>__builtin_object_size</b> (<var>void * ptr, int type</var>)<var><a name="index-g_t_005f_005fbuiltin_005fobject_005fsize-2742"></a></var><br> 66<blockquote><p>is a built-in construct that returns a constant number of bytes from 67<var>ptr</var> to the end of the object <var>ptr</var> pointer points to 68(if known at compile time). <code>__builtin_object_size</code> never evaluates 69its arguments for side-effects. If there are any side-effects in them, it 70returns <code>(size_t) -1</code> for <var>type</var> 0 or 1 and <code>(size_t) 0</code> 71for <var>type</var> 2 or 3. If there are multiple objects <var>ptr</var> can 72point to and all of them are known at compile time, the returned number 73is the maximum of remaining byte counts in those objects if <var>type</var> & 2 is 740 and minimum if nonzero. If it is not possible to determine which objects 75<var>ptr</var> points to at compile time, <code>__builtin_object_size</code> should 76return <code>(size_t) -1</code> for <var>type</var> 0 or 1 and <code>(size_t) 0</code> 77for <var>type</var> 2 or 3. 78 79 <p><var>type</var> is an integer constant from 0 to 3. If the least significant 80bit is clear, objects are whole variables, if it is set, a closest 81surrounding subobject is considered the object a pointer points to. 82The second bit determines if maximum or minimum of remaining bytes 83is computed. 84 85 <pre class="smallexample"> struct V { char buf1[10]; int b; char buf2[10]; } var; 86 char *p = &var.buf1[1], *q = &var.b; 87 88 /* Here the object p points to is var. */ 89 assert (__builtin_object_size (p, 0) == sizeof (var) - 1); 90 /* The subobject p points to is var.buf1. */ 91 assert (__builtin_object_size (p, 1) == sizeof (var.buf1) - 1); 92 /* The object q points to is var. */ 93 assert (__builtin_object_size (q, 0) 94 == (char *) (&var + 1) - (char *) &var.b); 95 /* The subobject q points to is var.b. */ 96 assert (__builtin_object_size (q, 1) == sizeof (var.b)); 97</pre> 98 </blockquote></div> 99 100 <p>There are built-in functions added for many common string operation 101functions, e.g., for <code>memcpy</code> <code>__builtin___memcpy_chk</code> 102built-in is provided. This built-in has an additional last argument, 103which is the number of bytes remaining in object the <var>dest</var> 104argument points to or <code>(size_t) -1</code> if the size is not known. 105 106 <p>The built-in functions are optimized into the normal string functions 107like <code>memcpy</code> if the last argument is <code>(size_t) -1</code> or if 108it is known at compile time that the destination object will not 109be overflown. If the compiler can determine at compile time the 110object will be always overflown, it issues a warning. 111 112 <p>The intended use can be e.g. 113 114<pre class="smallexample"> #undef memcpy 115 #define bos0(dest) __builtin_object_size (dest, 0) 116 #define memcpy(dest, src, n) \ 117 __builtin___memcpy_chk (dest, src, n, bos0 (dest)) 118 119 char *volatile p; 120 char buf[10]; 121 /* It is unknown what object p points to, so this is optimized 122 into plain memcpy - no checking is possible. */ 123 memcpy (p, "abcde", n); 124 /* Destination is known and length too. It is known at compile 125 time there will be no overflow. */ 126 memcpy (&buf[5], "abcde", 5); 127 /* Destination is known, but the length is not known at compile time. 128 This will result in __memcpy_chk call that can check for overflow 129 at runtime. */ 130 memcpy (&buf[5], "abcde", n); 131 /* Destination is known and it is known at compile time there will 132 be overflow. There will be a warning and __memcpy_chk call that 133 will abort the program at runtime. */ 134 memcpy (&buf[6], "abcde", 5); 135</pre> 136 <p>Such built-in functions are provided for <code>memcpy</code>, <code>mempcpy</code>, 137<code>memmove</code>, <code>memset</code>, <code>strcpy</code>, <code>stpcpy</code>, <code>strncpy</code>, 138<code>strcat</code> and <code>strncat</code>. 139 140 <p>There are also checking built-in functions for formatted output functions. 141<pre class="smallexample"> int __builtin___sprintf_chk (char *s, int flag, size_t os, const char *fmt, ...); 142 int __builtin___snprintf_chk (char *s, size_t maxlen, int flag, size_t os, 143 const char *fmt, ...); 144 int __builtin___vsprintf_chk (char *s, int flag, size_t os, const char *fmt, 145 va_list ap); 146 int __builtin___vsnprintf_chk (char *s, size_t maxlen, int flag, size_t os, 147 const char *fmt, va_list ap); 148</pre> 149 <p>The added <var>flag</var> argument is passed unchanged to <code>__sprintf_chk</code> 150etc. functions and can contain implementation specific flags on what 151additional security measures the checking function might take, such as 152handling <code>%n</code> differently. 153 154 <p>The <var>os</var> argument is the object size <var>s</var> points to, like in the 155other built-in functions. There is a small difference in the behavior 156though, if <var>os</var> is <code>(size_t) -1</code>, the built-in functions are 157optimized into the non-checking functions only if <var>flag</var> is 0, otherwise 158the checking function is called with <var>os</var> argument set to 159<code>(size_t) -1</code>. 160 161 <p>In addition to this, there are checking built-in functions 162<code>__builtin___printf_chk</code>, <code>__builtin___vprintf_chk</code>, 163<code>__builtin___fprintf_chk</code> and <code>__builtin___vfprintf_chk</code>. 164These have just one additional argument, <var>flag</var>, right before 165format string <var>fmt</var>. If the compiler is able to optimize them to 166<code>fputc</code> etc. functions, it will, otherwise the checking function 167should be called and the <var>flag</var> argument passed to it. 168 169 </body></html> 170 171