Make stoip6 return whether the conversion succeed

[Taiki-San]

Implement the change suggested by @kjbracey-arm in #71.
stoip6 now returns false if the string is too long, if characters besides hexadecimal characters or ':' are detected, or if it's missing fields.

[kjbracey]

Just in case, for backwards compatibility, keep the memset in. We've already written something to the buffer. May as well fully fill it.

I'd like to minimise the chances of breaking a large body of code using this.

Although we now are being stricter on the is_hex check. Maybe that should carry on but set an "error" flag to return false at the end? Guarantee we don't break anyone?

[Taiki-San]

Ok with memset.

As for soft failing, I'm not totally confortable with such a lax parser, especially for something as important as parsing IP addresses. If you want to push to avoid breaking third-party code, I'll make that change but I'd rather see buggy/unsafe code break before being exploited by hackers. Your call.

[kjbracey]

Tend to agree, but the current code is currently returning void, and there are lots of users, so even if you make it return false, no current code is going to be checking the return.

By returning early, you make current users process uninitialised data rather a definite value they're getting at the moment.

Once people actually start looking at the return value, then it becomes a strict parser.

[Taiki-San]

Would memset-ing the entire output buffer to 0 every time we return false be an appropriate alternative?

[kjbracey]

Seems plausible. I'm just nervous about any change to the output values here, as I suspect there's not enough CI on this repo - we wouldn't see any problems until incorporated into upstream projects.

Hmm. Okay, make it clear when returning false. (Stylistically I'm fine with a goto error for that).

[kjbracey]

Space after //, also below.

[kjbracey]

Not a fan of meaningless const in declaration prototypes - you're passing by value. You're free to retain it in the definition below, I guess, but there's no const size_t or void * const dest going on, so I think this is just randomly picked up from the line above where the const means something different. This is actually analogous to const char * const p.

(Argument variables can be declared const or not inside a function, indicating the constness of the copy. For the parameters, const is meaningless, and doesn't affect type-checking of definition versus declaration.).

[kjbracey]

If you want to be stricter, should probably reject any >4-digit segments. Could also reject coloncolon being set if already set.

[kjbracey]

I don't think this exactly match the old failure in all cases (eg non-hex digits), so probably best to not claim that.

[Taiki-San]

Is the new comment less ambiguous or should I rather drop the mention of the old behavior ?

[kjbracey]

Looks fine now apart from formatting. Make sure you run the unit test, and you should probably add a couple of tests for the new failure modes.

[kjbracey]

Formatting - space after if. "Per segment"

[kjbracey]

Formatting - space after if

[Taiki-San]

Rebased the patches after fixing the formatting you mentioned.
Also tweaked the unit tests: it's now checking that the call succeed/failed and a new tests validate the failure in a few scenarios.

[Taiki-San]

I don't have the toolchain to run the tests locally, but are they ran by the CI? 504b8b2 should have failed.

[kjbracey]

I fear the CI is not running those unit tests on PRs. This repo is low-traffic enough we've not spent much time on automation. I can run them locally.

[kjbracey]

Missing ;

[kjbracey]

Formatting

[kjbracey]

Formatting

[kjbracey]

Misplaced )

[kjbracey]

This assert failed, don't know which iteration.

[kjbracey]

Assertion failed.

[kjbracey]

Assertion failed.

[Taiki-San]

This should fix the errors. I apologize for taking so much of your time on those trivial issues.

[kjbracey]

Okay, tests pass.

[Taiki-San]

Do you want me to rebase before merging?

[kjbracey]

Yes, squash it together as much as is sensible to make it neat.

[Taiki-San]

Just noticed we're fairly lax in regard to the len argument. Specifically, if the string isn't \0-terminated, we'll over-read it. This could cause issues if the same buffer is used to parse multiple addresses.
Not sure if we should be more aggressive with stopping/reporting error, as there is a high chance that this will break third-party code, thanks to off-by-one bugs.

[kjbracey]

Probably worth tightening that. The primary use case for specifying length is when we're parsing things like http://[fe80::1] or fe80::/64 - some other layer has already identified a separator. So normally that next byte would be something that would stop the parse. I wouldn't expect someone to have a stale hex digit in the terminator position, but I guess we should be robust.

And hopefully everyone who is parsing stuff like the above is passing an accurate length showing the separator, or they'll now get 0.

[Taiki-San]

If this change is what you had in mind, I'll squash it and this PR should be ready to merge.

[kjbracey]

These should probably be len-- just to match surrounding style.

[kjbracey]

Yes, that should be fine. Squash away.

[Taiki-San]

Done, should be good to merge.

[Taiki-San]

@kjbracey-arm Would you mind merging this PR? Once it's done, I'll be able to update ARMmbed/mbed-os#6293 to use those new APIs.

[kjbracey]

We'll be merging this shortly, but I'm afraid this isn't going to make the release cycle for mbed OS 5.10, so suggest just sticking with the APIs from your previous PRs initially.

[kjbracey]

Reverted due to some system test failures, including in unit tests. (Actual PR checks are minimal on this repo, so not spotted earlier). @artokin will give some details.

When he does, please add the failures to the unit tests, and make sure you run them.

[artokin]

During the test it failed to convert 2001::0/64 [32:30:30:31:3a:3a:30:2f:36:34], is_hex is failing with character 2f.
Another failure happens with address: [66:65:38:30:3a:3a:31]

When running unittest I get the following failure:

./stoip6_unit_tests 
..................
stoip6test.cpp:37: error: Failure in TEST(stoip6, ZeroAddress)
	CHECK(0 == memcmp(ip, ipv6_test_values[i].bin, 16)) failed

.
Errors (1 failures, 19 tests, 19 ran, 42 checks, 0 ignored, 0 filtered out, 0 ms)

[kjbracey]

I did believe that first one should fail, because it was up to the caller to detect the '/' before-hand, eg via sipv6_prefixlength, if it's a prefix context, and exclude it by restricting len, rather than the conversion function quietly stopping on '/'.

In other words, that first one should work if len == 7, but fail if len > 7. (And I guess len == 6 would be valid, and len < 6 invalid?)

[Taiki-San]

I think I caught the underlying issue, will make a new PR shortly.
As for running the unit tests, I had a quick look and it looks like they're designed to run on linux with quite a few hard-coded paths. Using macOS, this makes running them non-trivial. If you have a working setup, could you give them a quick run?

[artokin]

Unit test passed now. I'm running other test to verify the functionality.