topic Re: F$GETJPI("","PROCESS_RIGHTS") %DCL-W-BUFOVF, command buffer overflow in Operating System - OpenVMS

F$GETJPI("","PROCESS_RIGHTS") %DCL-W-BUFOVF, command buffer overflow

Thomas Ritter — Tue, 04 Jul 2006 22:21:42 GMT

Most of our VMS accounts have over 130 VMS rights identifiers granted. Using the lexical function F$GETJPI("","PROCESS_RIGHTS") results in
"%DCL-W-BUFOVF, command buffer overflow - shorten expression or command line"

Is there an available technique which will allow the usage of F$GETJPI("","PROCESS_RIGHTS") with such a long list of identifiers ?

Sincerely,
Thomas

Re: F$GETJPI("","PROCESS_RIGHTS") %DCL-W-BUFOVF, command buffer overflow

John Abbott_2 — Wed, 05 Jul 2006 02:21:11 GMT

Hi Thomas,

What version of VMS are you on ?

V7.3-2 introduced Extended DCL (EDCL), which increased command size limits of the command line interpreter (CLI) as follows:

Structure Old New Size Limits
Interactive DCL 255 4095 bytes
DCL commands in file 1024 8192 bytes
DCL symbols 1024 8192 bytes

Also, the library routines LIB$DO_COMMAND LIB$GET_COMMAND LIB$GET_FOREIGN LIB$GET_SYMBOL LIB$SET_SYMBOL were increase accordingly.

If you're not planning to upgrade or are no this version and have exceeded these new values, then the only alternative I can think of is to rename some of the PROCESS_RIGHTS identidifers to have shorter names (UAF RENAME/ID), in order to keep the user with the most rights within the current limits.

Regards,
John.

Re: F$GETJPI("","PROCESS_RIGHTS") %DCL-W-BUFOVF, command buffer overflow

John Abbott_2 — Wed, 05 Jul 2006 03:55:41 GMT

Hopefully this posted comparision will read better...

Structure Old New Size Limits
-------------------------------------------
Interactive DCL 255 4095 bytes
DCL commands in file 1024 8192 bytes
DCL symbols 1024 8192 bytes

Note that logical limits remain unchanged

J.

Re: F$GETJPI("","PROCESS_RIGHTS") %DCL-W-BUFOVF, command buffer overflow

Karl Rohwedder — Wed, 05 Jul 2006 05:43:31 GMT

To get a stable solution regardless of limits and number of idents granted, you can e.g. use a procedure to read the rights and define DCL symbols. I attached a possible example as a starter.

regards Kalle

Re: F$GETJPI("","PROCESS_RIGHTS") %DCL-W-BUFOVF, command buffer overflow

Thomas Ritter — Wed, 05 Jul 2006 07:00:13 GMT

We run vms 7.3-2. I want to be able to use the lexical function f$getjpi with our long list of rights identifiers. Alternatively I will write a C routine, implemented as a foreign command do what I would prefer f$getjpi do for me.
We cannot change the names or length of the identifiers. That would be an application change. It just a pity that the process_rights argument is limited by the DCL string length. At most we would have to store upto 4,000 characters.

Re: F$GETJPI("","PROCESS_RIGHTS") %DCL-W-BUFOVF, command buffer overflow

John Abbott_2 — Wed, 05 Jul 2006 07:11:22 GMT

Hi Thomas, the only other option I can think of (assuming the rights aren't holder hidden (if I remember correctly!) is doing something like

$ pipe show process/id=pid/right | search/nooutput/nowarning sys$input " rights_identifier "
$ if $severity .eqs. "3" then ... rights_identifier_not_present...

or some dcl to that effect.

Hope this helps
John.

Re: F$GETJPI("","PROCESS_RIGHTS") %DCL-W-BUFOVF, command buffer overflow

John Abbott_2 — Wed, 05 Jul 2006 07:20:10 GMT

One thing about my last post is that I put a space in front of and after the rights_identifier I'm $SEARCHing on, to prevent a mismatch.

e.g.
User has NET$TRACEALLREMOTE and I search on NET$TRACEALL, I'll get a match unless I use these spaces, simple but not obvious.

J.

Re: F$GETJPI("","PROCESS_RIGHTS") %DCL-W-BUFOVF, command buffer overflow

Thomas Ritter — Wed, 05 Jul 2006 07:25:43 GMT

I was really hoping someone would respond with something like "Hi Thomas, there is a new sysgen parameter for customizing DCL symbol lengths. Change this sysgen parameter DCL_MAX_SYMBOL_LENTH from 1024 to 8192 and reboot. The lexical f$getjpi("","PROCESS_RIGHTS") will be able to store the rights identifiers of any of your processes."

:(

John, thanks for your suggestions.

Re: F$GETJPI("","PROCESS_RIGHTS") %DCL-W-BUFOVF, command buffer overflow

John Abbott_2 — Wed, 05 Jul 2006 08:04:09 GMT

:-)

All I can suggest is try emailing Guy Peleg (Mr DCL) at dcl@hp.com your thoughts.

I've always recieved a reply from Guy that's had some thought put into it! You never know, it could be something they're working on!

Best
John.

Re: F$GETJPI("","PROCESS_RIGHTS") %DCL-W-BUFOVF, command buffer overflow

Jan van den Ende — Wed, 05 Jul 2006 13:00:42 GMT

Thomas,

are you SURE that the F$GETJPI the problem is??

On ou system, ( 7.3-2 patches until november 2005)

$ xxx = f$fao("!8000*Y")
generates NO error.
$ show symbol xxx
does, as does
$ write sys$output xxx
but
$ write /symbol sys$output xxx
works fine.
$ yyy = f$extract(7000,1000,xxx)
$ sho sym yyy
is fine
$ xxx = xxx + "ABCDEFG"
is fine
$ f$locate("B",xxx) gives 8001, as expected
but no way to get
$ zzz = xxx - "B"
to work.

Symbols up to just over 8000 simple WORK OK.

But not all manipulations on them do!

If you compose your rights list stream, first just cut it up in 1000 char pieces.
Operate on them
(of course you will have to code around the break.

We had your same problem, way back when strings COULD be 4 K, but most string handling functions were limited to 255 char.
We routinely had rightslist strings over 1 K then.

Nowadays a big portion of our users have RIGHTS_LIST strings of over 1 K, some over 2K
(we were unlucky enough to DISCOVER the 7.3-1 bug that corrupted nonpagedpool if the string grew over 4 K )

hth

Proost.

Have one on me.

jpe

Re: F$GETJPI("","PROCESS_RIGHTS") %DCL-W-BUFOVF, command buffer overflow

Thomas Ritter — Wed, 05 Jul 2006 19:17:17 GMT

Hi Jan, consider this mockup SYSTEM account.
$ sh process/rights

6-JUL-2006 10:04:32.99 User: SYSTEM Process ID: 0003C518
Node: secret Process name: "system!r2"

Process rights:
SYSTEM resource
INTERACTIVE
REMOTE
DDAL$TR_MON
DFU_ALLPRIV
MQM resource
VMS$MEM_RESIDENT_USER
SYS_PROCESS_TEST_001
SYS_PROCESS_TEST_002
SYS_PROCESS_TEST_003
SYS_PROCESS_TEST_004
SYS_PROCESS_TEST_005
SYS_PROCESS_TEST_006
SYS_PROCESS_TEST_007
SYS_PROCESS_TEST_008
SYS_PROCESS_TEST_009
SYS_PROCESS_TEST_010
SYS_PROCESS_TEST_011
SYS_PROCESS_TEST_012
SYS_PROCESS_TEST_013
SYS_PROCESS_TEST_014
SYS_PROCESS_TEST_015
SYS_PROCESS_TEST_016
SYS_PROCESS_TEST_017
SYS_PROCESS_TEST_018
SYS_PROCESS_TEST_019
SYS_PROCESS_TEST_020
SYS_PROCESS_TEST_021
SYS_PROCESS_TEST_022
SYS_PROCESS_TEST_023
SYS_PROCESS_TEST_024
SYS_PROCESS_TEST_025
SYS_PROCESS_TEST_026
SYS_PROCESS_TEST_027
SYS_PROCESS_TEST_028
SYS_PROCESS_TEST_029
SYS_PROCESS_TEST_030
SYS_PROCESS_TEST_031
SYS_PROCESS_TEST_032
SYS_PROCESS_TEST_033
SYS_PROCESS_TEST_034
SYS_PROCESS_TEST_035
SYS_PROCESS_TEST_036
SYS_PROCESS_TEST_037
SYS_PROCESS_TEST_038
SYS_PROCESS_TEST_039
SYS_PROCESS_TEST_040
SYS_PROCESS_TEST_041
SYS_PROCESS_TEST_042
SYS_PROCESS_TEST_043
SYS_PROCESS_TEST_044
SYS_PROCESS_TEST_045
SYS_PROCESS_TEST_046
SYS_PROCESS_TEST_047
SYS_PROCESS_TEST_048
SYS_PROCESS_TEST_049
SYS_PROCESS_TEST_050
SYS_PROCESS_TEST_051
SYS_PROCESS_TEST_052
SYS_PROCESS_TEST_053
SYS_PROCESS_TEST_054
SYS_PROCESS_TEST_055
SYS_PROCESS_TEST_056
SYS_PROCESS_TEST_057
SYS_PROCESS_TEST_058
SYS_PROCESS_TEST_059
SYS_PROCESS_TEST_060
SYS_PROCESS_TEST_061
SYS_PROCESS_TEST_062
SYS_PROCESS_TEST_063
SYS_PROCESS_TEST_064
SYS_PROCESS_TEST_065
SYS_PROCESS_TEST_066
SYS_PROCESS_TEST_067
SYS_PROCESS_TEST_068
SYS_PROCESS_TEST_069
SYS_PROCESS_TEST_070
SYS_PROCESS_TEST_071
SYS_PROCESS_TEST_072
SYS_PROCESS_TEST_073
SYS_PROCESS_TEST_074
SYS_PROCESS_TEST_075
SYS_PROCESS_TEST_076
SYS_PROCESS_TEST_077
SYS_PROCESS_TEST_078
SYS_PROCESS_TEST_079
SYS_PROCESS_TEST_080
SYS_PROCESS_TEST_081
SYS_PROCESS_TEST_082
SYS_PROCESS_TEST_083
SYS_PROCESS_TEST_084
SYS_PROCESS_TEST_085
SYS_PROCESS_TEST_086
SYS_PROCESS_TEST_087
SYS_PROCESS_TEST_088
SYS_PROCESS_TEST_089
SYS_PROCESS_TEST_090
SYS_PROCESS_TEST_091
SYS_PROCESS_TEST_092
SYS_PROCESS_TEST_093
SYS_PROCESS_TEST_094
SYS_PROCESS_TEST_095
SYS_PROCESS_TEST_096
SYS_PROCESS_TEST_097
SYS_PROCESS_TEST_098
SYS_PROCESS_TEST_099
SYS_PROCESS_TEST_100
SYS_PROCESS_TEST_101
SYS_PROCESS_TEST_102
SYS_PROCESS_TEST_103
SYS_PROCESS_TEST_104
SYS_PROCESS_TEST_105
SYS_PROCESS_TEST_106
SYS_PROCESS_TEST_107
SYS_PROCESS_TEST_108
SYS_PROCESS_TEST_109
SYS_PROCESS_TEST_110
SYS_PROCESS_TEST_111
SYS_PROCESS_TEST_112
SYS_PROCESS_TEST_113
SYS_PROCESS_TEST_114
SYS_PROCESS_TEST_115
SYS_PROCESS_TEST_116
SYS_PROCESS_TEST_117
SYS_PROCESS_TEST_118
SYS_PROCESS_TEST_119
SYS_PROCESS_TEST_120
SYS_PROCESS_TEST_121
SYS_PROCESS_TEST_122
SYS_PROCESS_TEST_123
SYS_PROCESS_TEST_124
SYS_PROCESS_TEST_125
SYS_PROCESS_TEST_126
SYS_PROCESS_TEST_127
SYS_PROCESS_TEST_128
SYS_PROCESS_TEST_129
SYS_PROCESS_TEST_130
SYS_PROCESS_TEST_131
SYS_PROCESS_TEST_132
SYS_PROCESS_TEST_133
SYS_PROCESS_TEST_134
SYS_PROCESS_TEST_135
SYS_PROCESS_TEST_136
SYS_PROCESS_TEST_137
SYS_PROCESS_TEST_138
SYS_PROCESS_TEST_139
SYS_PROCESS_TEST_140
SYS_PROCESS_TEST_141
SYS_PROCESS_TEST_142
SYS_PROCESS_TEST_143
SYS_PROCESS_TEST_144
SYS_PROCESS_TEST_145
SYS_PROCESS_TEST_146
SYS_PROCESS_TEST_147
SYS_PROCESS_TEST_148
SYS_PROCESS_TEST_149
SYS_PROCESS_TEST_150
SYS_PROCESS_TEST_151

System rights:
SYS$NODE_SECRET

Soft CPU Affinity: off
$ write sys$output f$getjpi("","process_rights")
%DCL-W-BUFOVF, command buffer overflow - shorten expression or command line
$ x = f$getjpi("","process_rights")
%DCL-W-BUFOVF, command buffer overflow - shorten expression or command line

I remove the identifiers

wizdv!r2> SH PROCESS/RIGHT

6-JUL-2006 10:09:14.94 User: SYSTEM Process ID: 00041B1D
Node: SECRET
Process name: "system!r2"

Process rights:
SYSTEM resource
INTERACTIVE
REMOTE
DDAL$TR_MON
DFU_ALLPRIV
MQM resource
VMS$MEM_RESIDENT_USER

System rights:
SYS$NODE_SECRET

Soft CPU Affinity: off
$ WRITE SYS$OUTPUT F$GETJPI("","PROCESS_RIGHTS")
SYSTEM,INTERACTIVE,REMOTE,DDAL$TR_MON,DFU_ALLPRIV,MQM,VMS$MEM_RESIDENT_USER

The size of the processes' rights identifier is the problem. I used a command procedure to grant and revoke the identifiers.
:)

Re: F$GETJPI("","PROCESS_RIGHTS") %DCL-W-BUFOVF, command buffer overflow

Guy Peleg — Thu, 06 Jul 2006 01:25:43 GMT

Hi Thomas,

This is a bug !!

well...maybe not a bug but a design
limitation.....no...it's a bug ;-)

When I designed EDCL I restricted the
lexical functions to use the old buffer
size. If you use one of the cluster aware
lexical functions (like F$GETJPI) and you
are operating on a non-EDCL node, DCL
sends large buffer over the network which
eventually will result in the non edcl
system choking and the operation will fail.

Lately I removed part of the restriction
and local lexical functions (like F$TYPE)
now use large buffers. This change is
shipping with the latest DCL ECO for V7.3-2.

John Brodribb brought this problem
to my attention and I'm working on a fix
for the cluster aware lexicals. Should
be ready within few days.

Guy

Re: F$GETJPI("","PROCESS_RIGHTS") %DCL-W-BUFOVF, command buffer overflow

John Abbott_2 — Thu, 06 Jul 2006 01:57:10 GMT

There you go Thomas! I knew Guy would have the answer !! :-) 10 point to him !!

J.

Re: F$GETJPI("","PROCESS_RIGHTS") %DCL-W-BUFOVF, command buffer overflow

Jan van den Ende — Thu, 06 Jul 2006 03:37:51 GMT

Thomas,

the only fifference I was able to spot between your command and ours is that we use RIGHTSLIST instead of PROCESS_RIGHTS.
If that is significant I can not test right now :-(

fwiw

Proost.

Have one on me.

jpe

Re: F$GETJPI("","PROCESS_RIGHTS") %DCL-W-BUFOVF, command buffer overflow

Thomas Ritter — Thu, 06 Jul 2006 03:59:47 GMT

Great new :) This would make for some new elegant DCL procedures.

Jan, RIGHTSLIST and PROCESS_RIGHTS exhibit the same behaviour. Add more identifiers to you tested VMS account.

Guy, how big will the buffer be ?

John, thanks for you comments.

Thanks to the HP Support team in Sydney.

Sincerely,
Thomas

Re: F$GETJPI("","PROCESS_RIGHTS") %DCL-W-BUFOVF, command buffer overflow

Guy Peleg — Thu, 06 Jul 2006 04:03:56 GMT

Hi Thomas,

The new buffer length is 4K (4096 bytes).

Talk to your support team in Sydney, they
have a new DCL image waiting for you ;-)

Guy

Re: F$GETJPI("","PROCESS_RIGHTS") %DCL-W-BUFOVF, command buffer overflow

Robert Gezelter — Thu, 06 Jul 2006 05:27:53 GMT

Guy,

I do not like to add to the work list, but the point that was made earlier is valid. Even with the EDCL symbol length, there will be situations where the results of F$GETJPI on RIGHTLIST will exceed the extended buffer.

The elegrant solution would be to be able to use a context parameter (e.g., F$SEARCH) to iterate through the RIGHTLIST (or similar lists) one at a time. Alternatively, a function (or subfunction) that took an identifier and its attribute and returned TRUE or FALSE (e.g. F$PRIVILEGE for RIGHTSLIST).

As environments get more complex, with increasing security requirements, we are likely to see this appear with increasing frequency.

- Bob Gezelter, http://www.rlgsc.com

Re: F$GETJPI("","PROCESS_RIGHTS") %DCL-W-BUFOVF, command buffer overflow

Jan van den Ende — Thu, 06 Jul 2006 05:50:56 GMT

Count this as one vote of support for Bob's proposal!

Proost.

Have one on me.

jpe

Re: F$GETJPI("","PROCESS_RIGHTS") %DCL-W-BUFOVF, command buffer overflow

Karl Rohwedder — Thu, 06 Jul 2006 05:59:17 GMT

Here's another vote for it...

regards Kalle

Re: F$GETJPI("","PROCESS_RIGHTS") %DCL-W-BUFOVF, command buffer overflow

John Abbott_2 — Thu, 06 Jul 2006 06:06:46 GMT

We're increasingly using process rights, I suspect we'll hit this problem in a couple of years.

John.