From: David Laight <David.Laight@ACULAB.COM>
To: 'Justin Stitt' <justinstitt@google.com>,
Andy Whitcroft <apw@canonical.com>, Joe Perches <joe@perches.com>,
Dwaipayan Ray <dwaipayanray1@gmail.com>,
Lukas Bulwahn <lukas.bulwahn@gmail.com>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Lee Jones <lee@kernel.org>,
"linux-hardening@vger.kernel.org"
<linux-hardening@vger.kernel.org>,
Kees Cook <keescook@chromium.org>,
"Finn Thain" <fthain@linux-m68k.org>
Subject: RE: [PATCH v2] checkpatch: add check for snprintf to scnprintf
Date: Thu, 22 Feb 2024 22:30:46 +0000 [thread overview]
Message-ID: <dd2b4ac483b54a41aff11a04b6906fd6@AcuMS.aculab.com> (raw)
In-Reply-To: <20240221-snprintf-checkpatch-v2-1-9baeb59dae30@google.com>
From: Justin Stitt
> Sent: 21 February 2024 22:12
>
> I am going to quote Lee Jones who has been doing some snprintf ->
> scnprintf refactorings:
>
> "There is a general misunderstanding amongst engineers that
> {v}snprintf() returns the length of the data *actually* encoded into the
> destination array. However, as per the C99 standard {v}snprintf()
> really returns the length of the data that *would have been* written if
> there were enough space for it. This misunderstanding has led to
> buffer-overruns in the past. It's generally considered safer to use the
> {v}scnprintf() variants in their place (or even sprintf() in simple
> cases). So let's do that."
While generally true, there are places that really do want to
detect (and error) overflow.
That isn't possible with scnprintf().
I'm not sure what the solution is though.
Having a function that returns a negative value on overflow is also
likely to get misused.
seq_printf() (or whatever it is called) may let you check,
but it is hardly a cheap wrapper and a bit of a PITA to use.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
next prev parent reply other threads:[~2024-02-22 22:30 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-21 22:11 [PATCH v2] checkpatch: add check for snprintf to scnprintf Justin Stitt
2024-02-21 22:33 ` Kees Cook
2024-02-22 1:05 ` Joe Perches
2024-02-23 10:38 ` Lee Jones
2024-02-23 12:47 ` Joe Perches
2024-02-22 22:30 ` David Laight [this message]
2024-02-23 10:41 ` Lee Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dd2b4ac483b54a41aff11a04b6906fd6@AcuMS.aculab.com \
--to=david.laight@aculab.com \
--cc=apw@canonical.com \
--cc=dwaipayanray1@gmail.com \
--cc=fthain@linux-m68k.org \
--cc=joe@perches.com \
--cc=justinstitt@google.com \
--cc=keescook@chromium.org \
--cc=lee@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lukas.bulwahn@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox