Issue with asprintf()

Issue with asprintf()

[Archie Cobbs]

Hi,

There seems to be an issue with the asprintf() man page and underlying
implementation (I'm using openSUSE 13.1 - man-pages-3.53).

Since asprintf() is not POSIX, the man page effectively becomes the
specification of its behavior. The man page says:

    If memory allocation wasn't possible, or some other error occurs,
these functions will return -1, and the contents of strp is undefined.

The problem is that:

  o What actually happens is that the contents of strp are
_unmodified_ (not _undefined_)
  o There is critical code out there that depends on this undocumented
behavior (e.g., systemd)
  o Maintainers of that critical code don't believe their code doing
anything wrong (https://bugs.freedesktop.org/show_bug.cgi?id=90017)

This is a great way to create a security hole five years from now,
when someone optimizes asprintf() so that it actually does clobber
strp on error.

One argument says well, Leonnard is just wrong .. but let's not
restart that debate here :)

On the other hand, he has a good point: a much simpler fix, which
would make life easier for programmers everywhere, would be to change
the specified behavior from undefined -> unmodified, because this
allows the caller to initialize strp to NULL and get back a
free()'able value no matter what.

So... is is possible to tighten the "undefined" to be "unmodified" and
reflect reality?

FWIW, FreeBSD sets *strp to null on error, which is even nicer for the
programmer.

-Archie

-- 
Archie L. Cobbs
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Issue with asprintf()

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 555 bytes --]

On 11 May 2015 17:46, Archie Cobbs wrote:
> There seems to be an issue with the asprintf() man page and underlying
> implementation (I'm using openSUSE 13.1 - man-pages-3.53).
> 
> Since asprintf() is not POSIX, the man page effectively becomes the
> specification of its behavior.

not really.  glibc specifies its behavior in its manual:
	https://www.gnu.org/software/libc/manual/html_node/Dynamic-Output.html

any behavior not covered in the manual is unspecified.  if you want to clarify 
it, you should start with the glibc lists.
-mike

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Issue with asprintf()

[Michael Kerrisk (man-pages)]

On 12 May 2015 at 04:58, Mike Frysinger <vapier-aBrp7R+bbdUdnm+yROfE0A@public.gmane.org> wrote:
> On 11 May 2015 17:46, Archie Cobbs wrote:
>> There seems to be an issue with the asprintf() man page and underlying
>> implementation (I'm using openSUSE 13.1 - man-pages-3.53).
>>
>> Since asprintf() is not POSIX, the man page effectively becomes the
>> specification of its behavior.
>
> not really.  glibc specifies its behavior in its manual:
>         https://www.gnu.org/software/libc/manual/html_node/Dynamic-Output.html

Mike is of course right.

> any behavior not covered in the manual is unspecified.  if you want to clarify
> it, you should start with the glibc lists.

But it would be good to have this point clarified. The glibc manual
omits to say anything here.

Archie, do you want to take this to libc-alpha-9JcytcrH/bA+uJoB2kUjGw@public.gmane.org (and CC
me, so that I might fix the man page if anything useful comes out of
the conversation)?

Cheers,

Michael


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Issue with asprintf()

[Archie Cobbs]

On Tue, May 12, 2015 at 12:17 AM, Michael Kerrisk (man-pages)
<mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> On 12 May 2015 at 04:58, Mike Frysinger <vapier-aBrp7R+bbdUdnm+yROfE0A@public.gmane.org> wrote:
>> On 11 May 2015 17:46, Archie Cobbs wrote:
>>> There seems to be an issue with the asprintf() man page and underlying
>>> implementation (I'm using openSUSE 13.1 - man-pages-3.53).
>>>
>>> Since asprintf() is not POSIX, the man page effectively becomes the
>>> specification of its behavior.
>>
>> not really.  glibc specifies its behavior in its manual:
>>         https://www.gnu.org/software/libc/manual/html_node/Dynamic-Output.html
>
> Mike is of course right.
>
>> any behavior not covered in the manual is unspecified.  if you want to clarify
>> it, you should start with the glibc lists.
>
> But it would be good to have this point clarified. The glibc manual
> omits to say anything here.
>
> Archie, do you want to take this to libc-alpha-9JcytcrH/bA+uJoB2kUjGw@public.gmane.org (and CC
> me, so that I might fix the man page if anything useful comes out of
> the conversation)?

Hi Michael,

Will do.. thanks for the pointer.

-Archie

-- 
Archie L. Cobbs
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html