From: Albert ARIBAUD <albert.u.boot@aribaud.net>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH 0/4] Buffer overruns in printf
Date: Sun, 25 Sep 2011 10:40:48 +0200 [thread overview]
Message-ID: <4E7EE910.8090504@aribaud.net> (raw)
In-Reply-To: <CAPnjgZ23C8HtVd702e7hhnBv0F+C4tUkEHycKg1_VEviYVvBMQ@mail.gmail.com>
Le 24/09/2011 16:00, Simon Glass a ?crit :
>> So basically the choice is between:
>>
>> - adding code to the printf() family to try and fix an issue that it is
>> fundamentally unable to properly fix, and for which a solution exists, or
>>
>> - grepping and fixing calls to *sprintf() in U-Boot that do not respect the
>> known contraints of printf(), by resizing the buffer or calling *snprintf()
>> instead.
>>
>> I am definitely not in favor of the first option concerning U-Boot.
>
> Sounds fine to me. So I think we need the nprintf() variants in there,
> but the message is not to use them willy nilly. Going back to my patch
> series, 3/4 is ok, but 4/4 mostly crosses the line. Do I have that
> right?
It is the exact opposite for me : 3/4 makes all printf functions work
like some kind of *nprintf(), while 4/4 is about the network code
switching to *nprintf() for safety, so 3/4 would be nak and 4/4 ack as
far as I am concerned.
Basically, printf family functions which do not have the 'n' are *know*
by all -- experienced enough :) -- programmers to be *unsafe* (but to
require less from the caller) and it should remain so: no programmer
should ever encounter an implementation of printf that pretends to be
even somewhat safe, because it might bite him/her elsewhere, in another
project based on another C library where printf is just the beartrap it
usually is.
IOW, programmers already have assumptions about *printf(), including how
to deal with length limitations and what happens if you don't, and it is
best that these assumption remain true whatever project they work with.
> By the way, printf() ends up calling the same code, but without limit
> checking in place. The alternative is to duplicate all the format
> string processing code (a limit-checking version and an unchecked
> version) which would be worse.
I don't intend to dictate the way things can be implemented, so the
degree of code reuse is an open question as far as I am concerned. I am
only voicing my opinion that *printf() APIs and their contracts should
remain identical across all implementations of *printf(), and thus that
providing *nprintf() where they don't exist is commandable, but
hardening printf() is not, since you basically cannot do it without
somewhat departing from the de facto standard.
> Regards,
> Simon
Amicalement,
--
Albert.
next prev parent reply other threads:[~2011-09-25 8:40 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-23 17:38 [U-Boot] [PATCH 0/4] Buffer overruns in printf Simon Glass
2011-09-23 17:38 ` [U-Boot] [PATCH 1/4] Add limits.h to hold basic limits Simon Glass
2011-09-23 17:38 ` [U-Boot] [PATCH 2/4] Add safe vsnprintf and snprintf library functions Simon Glass
2011-09-23 23:56 ` Graeme Russ
2011-09-28 23:26 ` Sonny Rao
2011-09-29 0:00 ` Graeme Russ
2011-09-29 0:38 ` Sonny Rao
2011-09-29 0:44 ` Graeme Russ
2011-09-23 17:38 ` [U-Boot] [PATCH 3/4] Make printf and vprintf safe from buffer overruns Simon Glass
2011-09-23 18:36 ` Kumar Gala
2011-09-23 18:48 ` Simon Glass
2011-09-23 20:31 ` Mike Frysinger
2011-09-23 20:41 ` Simon Glass
2011-09-23 22:36 ` Mike Frysinger
2011-09-23 23:06 ` Simon Glass
2011-09-25 20:16 ` Wolfgang Denk
2011-09-25 20:14 ` Wolfgang Denk
2011-09-26 18:25 ` Simon Glass
2011-09-26 18:47 ` Wolfgang Denk
2011-09-26 19:02 ` Simon Glass
2011-09-23 17:38 ` [U-Boot] [PATCH 4/4] Use snprintf() in network code Simon Glass
2011-09-23 18:15 ` Mike Frysinger
2011-09-23 18:30 ` Simon Glass
2011-09-23 20:09 ` Mike Frysinger
2011-09-23 20:39 ` Simon Glass
2011-09-23 20:40 ` [U-Boot] [PATCH 0/4] Buffer overruns in printf Albert ARIBAUD
2011-09-23 20:46 ` Simon Glass
2011-09-24 9:37 ` Albert ARIBAUD
2011-09-24 14:00 ` Simon Glass
2011-09-25 8:40 ` Albert ARIBAUD [this message]
2011-09-25 14:50 ` Simon Glass
2011-09-26 11:20 ` Albert ARIBAUD
2011-09-26 17:50 ` Simon Glass
2011-09-26 18:36 ` Wolfgang Denk
2011-09-26 22:28 ` Scott Wood
2011-09-27 6:52 ` Albert ARIBAUD
2011-10-10 19:06 ` Simon Glass
2011-10-10 20:36 ` Wolfgang Denk
2011-10-10 20:42 ` Simon Glass
2011-09-25 20:04 ` Wolfgang Denk
2011-09-26 17:30 ` Simon Glass
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E7EE910.8090504@aribaud.net \
--to=albert.u.boot@aribaud.net \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.