Add new APIs to address vulnerabilities in the V API by bmribler · Pull Request #881 · HDFGroup/hdf4

bmribler · 2026-06-10T15:09:24Z

The existing Vgroup APIs Vgetname, Vgetclass, and Vinquire posed multiple vulnerabilities due to the lack of size checks. Because changing their signature will break compatibilities, three new APIs are added in place of their deprecation instead. New APIs are:

int Vgetname40(int32 vkey, char *vgname, size_t *buf_size);
int Vgetclass40(int32 vkey, char *vgclass, size_t *buf_size);
int Vinquire40(int32 vkey, int32 *nentries, char *vgname, size_t *buf_size);

Fixes GH #872

The removed APIs are no longer needed with the new argument buf_size in the new APIs.
int32 Vgetnamelen(int32 vkey, uint16 name_len); / deprecated in 4.0 */
int32 Vgetclassnamelen(int32 vkey, uint16 classname_len); / deprecated in 4.0 */

The existing APIs Vgetname, Vgetclass, and Vinquire posed multiple vulnerabilities due to the lack of size checks. Because changing their signature will break compatibilities, three new APIs are added in place of their deprecation instead. New APIs are: int Vgetname40(int32 vkey, char *vgname, size_t *buf_size); int Vgetclass40(int32 vkey, char *vgclass, size_t *buf_size); int Vinquire40(int32 vkey, int32 *nentries, char *vgname, size_t *buf_size); Fixes GH HDFGroup#872

schwehr

Some quick thoughts on the changes.

Edit: Thank you! These kinds of improvements are key for the long term stability of this old, but important, code base.

schwehr · 2026-06-10T15:17:25Z

 HDFLIBAPI int32 Vgetnext(int32 vkey, int32 id);

-HDFLIBAPI int32 Vgetname(int32 vkey, char *vgname);
+HDFLIBAPI int Vgetname40(int32 vkey, char *vgname, size_t *buf_size); /* in 4.0 */


Why are there 40 added to these function names? Maybe something in the name that implies it knows the string length?

My intention for 40 is they are introduced in 4.0. :D

Actually, I'm reconsidering this position...

We'll have a clean break, no deprecated functions, cleaner API for 4.0

schwehr · 2026-06-10T15:19:05Z

-HDFLIBAPI int Vinquire(int32 vkey, int32 *nentries, char *vgname);
+HDFLIBAPI int32 Vgetnamelen(int32 vkey, uint16 *name_len); /* deprecated in 4.0 */
+
+HDFLIBAPI int32 Vgetclassnamelen(int32 vkey, uint16 *classname_len); /* deprecated in 4.0 */


Why is this also down below?

I removed them. Thanks!!

schwehr · 2026-06-10T15:20:15Z

-HDFLIBAPI int Vinquire(int32 vkey, int32 *nentries, char *vgname);
+HDFLIBAPI int32 Vgetnamelen(int32 vkey, uint16 *name_len); /* deprecated in 4.0 */
+
+HDFLIBAPI int32 Vgetclassnamelen(int32 vkey, uint16 *classname_len); /* deprecated in 4.0 */


Consider requiring the user to #define something to allow use of deprecated calls and default it to set in the CMake system?

We don't have plan to do much more in HDF4. 4.0 is very likely to be the last release. Applications can continue using 3.x if the user chooses to use deprecated APIs. Please see the note about deprecating.

schwehr · 2026-06-10T15:27:41Z

+        HGOTO_ERROR(DFE_ARGS, FAIL);
+
+    /* Get the vgroup struct for access */
+    if ((vg = VIGet_vgdesc(vkey)) == NULL)


Switching style how it checks against NULL. Above was if (NULL == . Use the same style across all.

I prefer (... == NULL) but I'll use the existing style for now.

Sounds good. I suggest a follow up PR to switch to == NULL as I agree with your take on what is better these days.

schwehr · 2026-06-10T15:29:44Z

+    if (buf_size != NULL) {
+        if (vgname == NULL || *buf_size == 0) {
+            *buf_size = name_len; /* return the name length */
+        }


Maybe return here so you don't have to indent for the else?

bmribler · 2026-06-11T15:47:02Z

@schwehr Thank you for reviewing this PR! I'll close it but create another PR soon, and apply your comments there, where appropriate.

bmribler and others added 2 commits June 10, 2026 10:47

Committing clang-format changes

973674f

bmribler requested review from brtnfld, byrnHDF, derobins, fortnern, glennsong09, jhendersonHDF, lrknox, mattjala, schwehr and vchoi-hdfgroup as code owners June 10, 2026 15:09

bmribler requested a review from ajelenak June 10, 2026 15:10

bmribler added this to the 4.0 milestone Jun 10, 2026

bmribler linked an issue Jun 10, 2026 that may be closed by this pull request

Stack buffer overflow in Vgetname, Vgetclass, and Vinquire via unbounded strcpy (CWE-121/CWE-787) #872

Open

schwehr requested changes Jun 10, 2026

View reviewed changes

Clean up

79e26d8

bmribler marked this pull request as draft June 10, 2026 17:51

bmribler closed this Jun 11, 2026

Uh oh!

Conversation

bmribler commented Jun 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

schwehr left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

bmribler Jun 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

bmribler commented Jun 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

bmribler commented Jun 10, 2026 •

edited

Loading

schwehr left a comment •

edited

Loading

bmribler Jun 10, 2026 •

edited

Loading

bmribler commented Jun 11, 2026 •

edited

Loading