From: Lee Jones <lee@kernel.org>
To: David Laight <David.Laight@aculab.com>
Cc: 'Justin Stitt' <justinstitt@google.com>,
Andy Whitcroft <apw@canonical.com>, Joe Perches <joe@perches.com>,
Dwaipayan Ray <dwaipayanray1@gmail.com>,
Lukas Bulwahn <lukas.bulwahn@gmail.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-hardening@vger.kernel.org"
<linux-hardening@vger.kernel.org>,
Kees Cook <keescook@chromium.org>,
Finn Thain <fthain@linux-m68k.org>
Subject: Re: [PATCH v2] checkpatch: add check for snprintf to scnprintf
Date: Fri, 23 Feb 2024 10:41:21 +0000 [thread overview]
Message-ID: <20240223104121.GQ10170@google.com> (raw)
In-Reply-To: <dd2b4ac483b54a41aff11a04b6906fd6@AcuMS.aculab.com>
On Thu, 22 Feb 2024, David Laight wrote:
> From: Justin Stitt
> > Sent: 21 February 2024 22:12
> >
> > I am going to quote Lee Jones who has been doing some snprintf ->
> > scnprintf refactorings:
> >
> > "There is a general misunderstanding amongst engineers that
> > {v}snprintf() returns the length of the data *actually* encoded into the
> > destination array. However, as per the C99 standard {v}snprintf()
> > really returns the length of the data that *would have been* written if
> > there were enough space for it. This misunderstanding has led to
> > buffer-overruns in the past. It's generally considered safer to use the
> > {v}scnprintf() variants in their place (or even sprintf() in simple
> > cases). So let's do that."
>
> While generally true, there are places that really do want to
> detect (and error) overflow.
> That isn't possible with scnprintf().
>
> I'm not sure what the solution is though.
> Having a function that returns a negative value on overflow is also
> likely to get misused.
> seq_printf() (or whatever it is called) may let you check,
> but it is hardly a cheap wrapper and a bit of a PITA to use.
I agree.
spprinf() was my favorite solution, but it seems that the lib string
people don't like to accept new functionality, even if it's a clear
improvement over the currently available solutions.
[0] https://lore.kernel.org/all/20240130160953.766676-1-lee@kernel.org/
--
Lee Jones [李琼斯]
prev parent reply other threads:[~2024-02-23 10:41 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-21 22:11 [PATCH v2] checkpatch: add check for snprintf to scnprintf Justin Stitt
2024-02-21 22:33 ` Kees Cook
2024-02-22 1:05 ` Joe Perches
2024-02-23 10:38 ` Lee Jones
2024-02-23 12:47 ` Joe Perches
2024-02-22 22:30 ` David Laight
2024-02-23 10:41 ` Lee Jones [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240223104121.GQ10170@google.com \
--to=lee@kernel.org \
--cc=David.Laight@aculab.com \
--cc=apw@canonical.com \
--cc=dwaipayanray1@gmail.com \
--cc=fthain@linux-m68k.org \
--cc=joe@perches.com \
--cc=justinstitt@google.com \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lukas.bulwahn@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.