* Bug#794947: manpages-dev: printf(3) example: possible integer overflow
@ 2016-02-17 12:40 Stéphane Aulery
[not found] ` <e62670273dd84e658fe32cda6e16e94b-lkSrsyIBln0dnm+yROfE0A@public.gmane.org>
0 siblings, 1 reply; 3+ messages in thread
From: Stéphane Aulery @ 2016-02-17 12:40 UTC (permalink / raw)
To: 794947, control, linux-man, wharms
retitle 794947 printf(3): possible integer overflow in make_message
example
severity 794947 wishlist
tags 794947 + confirmed
tags 794947 + upstream
forwarded 794947 linux-man@vger.kernel.org
stop
-----
Hello Walter,
Jakub Wilk reported a possible integer overflow in make_message example
:
> The example in the printf(3) manpages looks like this (with boring
> parts
> omitted):
>
> int n;
> /* ... */
> n = vsnprintf(p, size, fmt, ap);
> /* ... */
> if (n < 0) {
> /* ... */
> return NULL;
> }
> /* ... */
> size = n + 1;
>
>
> But vsnprintf could return INT_MAX, which would then cause "n + 1" to
> overflow.
>
> (AFAICS, the glibc vsnprintf implementation never returns INT_MAX, but
> it could in principle.)
>
> I'd suggest changing "n < 0" to "n < 0 || n == INT_MAX".
Since this example has been modified by you (Walter Harms), after the
bug #794947 [1] has been reported, I wanted to ask your opinion on the
best option.
Should we add this test to good practice, or rather a comment to mention
that the case is not taken into account because the example uses glibc?
Regards,
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794947
--
Stéphane Aulery
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: manpages-dev: printf(3) example: possible integer overflow
[not found] ` <e62670273dd84e658fe32cda6e16e94b-lkSrsyIBln0dnm+yROfE0A@public.gmane.org>
@ 2016-02-17 21:13 ` walter harms
[not found] ` <56C4E269.5020108-fPG8STNUNVg@public.gmane.org>
0 siblings, 1 reply; 3+ messages in thread
From: walter harms @ 2016-02-17 21:13 UTC (permalink / raw)
To: saulery-lkSrsyIBln0dnm+yROfE0A
Cc: 794947-61a8vm9lEZVf4u+23C9RwQ, control-61a8vm9lEZVf4u+23C9RwQ,
linux-man-u79uwXL29TY76Z2rM5mHXA
Am 17.02.2016 13:40, schrieb Stéphane Aulery:
> retitle 794947 printf(3): possible integer overflow in make_message example
> severity 794947 wishlist
> tags 794947 + confirmed
> tags 794947 + upstream
> forwarded 794947 linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> stop
>
> -----
>
> Hello Walter,
>
> Jakub Wilk reported a possible integer overflow in make_message example :
>
>> The example in the printf(3) manpages looks like this (with boring parts
>> omitted):
>>
>> int n;
>> /* ... */
>> n = vsnprintf(p, size, fmt, ap);
>> /* ... */
>> if (n < 0) {
>> /* ... */
>> return NULL;
>> }
>> /* ... */
>> size = n + 1;
>>
>>
>> But vsnprintf could return INT_MAX, which would then cause "n + 1" to
>> overflow.
>>
>> (AFAICS, the glibc vsnprintf implementation never returns INT_MAX, but
>> it could in principle.)
>>
>> I'd suggest changing "n < 0" to "n < 0 || n == INT_MAX".
>
>
Hi,
the bug is real, the type of size should be size_t (in my original post it was int)
That would make the error check useless, so we would need to store
the vsnprintf return value in an int.
The problem is that the idea was to have a simple example and cluttering
it with error checks will make it hard to read. How many people would
notice that size_t is unsigned and n is signed ? (i added an comment).
IMHO we should simply add a sentence that "examples are examples and
will not check for every possible error condition."
re,
wh
#include <stdio.h>
#include <stdarg.h>
#include <stdlib.h>
char *
make_message2 (const char *fmt, ...)
{
int n = 0;
size_t size=0;
char *p = NULL;
va_list ap;
/* figure our required size */
va_start (ap, fmt);
n = vsnprintf (p, size, fmt, ap);
va_end (ap);
if (n < 0)
return NULL;
/* size is unsigned */
size=n;
/* leave room for \0 */
size++;
p = malloc (size);
if (p == NULL)
return NULL;
va_start (ap, fmt);
n = vsnprintf (p, size, fmt, ap);
va_end (ap);
return p;
}
> Since this example has been modified by you (Walter Harms), after the
> bug #794947 [1] has been reported, I wanted to ask your opinion on the
> best option.
>
> Should we add this test to good practice, or rather a comment to mention
> that the case is not taken into account because the example uses glibc?
>
> Regards,
>
> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794947
>
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Bug#794947: manpages-dev: printf(3) example: possible integer overflow
[not found] ` <56C4E269.5020108-fPG8STNUNVg@public.gmane.org>
@ 2016-02-18 19:18 ` Stéphane Aulery
0 siblings, 0 replies; 3+ messages in thread
From: Stéphane Aulery @ 2016-02-18 19:18 UTC (permalink / raw)
To: wharms-fPG8STNUNVg, 794947-61a8vm9lEZVf4u+23C9RwQ
Cc: linux-man-u79uwXL29TY76Z2rM5mHXA
Hello Walter,
Le 17/02/2016 22:13, walter harms a écrit :
>>
>> Jakub Wilk reported a possible integer overflow in make_message example :
>>
>>> The example in the printf(3) manpages looks like this (with boring parts
>>> omitted):
>>>
>>> int n;
>>> /* ... */
>>> n = vsnprintf(p, size, fmt, ap);
>>> /* ... */
>>> if (n < 0) {
>>> /* ... */
>>> return NULL;
>>> }
>>> /* ... */
>>> size = n + 1;
>>>
>>>
>>> But vsnprintf could return INT_MAX, which would then cause "n + 1" to
>>> overflow.
>>>
>>> (AFAICS, the glibc vsnprintf implementation never returns INT_MAX, but
>>> it could in principle.)
>>>
>>> I'd suggest changing "n < 0" to "n < 0 || n == INT_MAX".
>>
>
> the bug is real, the type of size should be size_t (in my original post it was int)
> That would make the error check useless, so we would need to store
> the vsnprintf return value in an int.
>
> The problem is that the idea was to have a simple example and cluttering
> it with error checks will make it hard to read. How many people would
> notice that size_t is unsigned and n is signed ? (i added an comment).
>
> IMHO we should simply add a sentence that "examples are examples and
> will not check for every possible error condition."
I agree with the general idea: the examples must remain so. They must
also be correct. Tough choice!
I will not put a note on this page about it, nor on the other, too much
for so little.
man-pages.7 specifically requests:
Example programs shoulds be fairly short (preferably less than 100
lines;
Ideally less than 50 lines).
Example programs shoulds do error checking after-system calls and
library function calls.
So I will do a patch with your new corrected version that is very readable.
Thanks a lot for your help.
Regards,
--
Stéphane Aulery
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-02-18 19:18 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-17 12:40 Bug#794947: manpages-dev: printf(3) example: possible integer overflow Stéphane Aulery
[not found] ` <e62670273dd84e658fe32cda6e16e94b-lkSrsyIBln0dnm+yROfE0A@public.gmane.org>
2016-02-17 21:13 ` walter harms
[not found] ` <56C4E269.5020108-fPG8STNUNVg@public.gmane.org>
2016-02-18 19:18 ` Bug#794947: " Stéphane Aulery
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).