From: Lee Jones <lee@kernel.org>
To: David Laight <David.Laight@aculab.com>
Cc: 'Justin Stitt' <justinstitt@google.com>,
Andy Whitcroft <apw@canonical.com>, Joe Perches <joe@perches.com>,
Dwaipayan Ray <dwaipayanray1@gmail.com>,
Lukas Bulwahn <lukas.bulwahn@gmail.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-hardening@vger.kernel.org"
<linux-hardening@vger.kernel.org>,
Kees Cook <keescook@chromium.org>,
Finn Thain <fthain@linux-m68k.org>
Subject: Re: [PATCH v2] checkpatch: add check for snprintf to scnprintf
Date: Fri, 23 Feb 2024 10:41:21 +0000 [thread overview]
Message-ID: <20240223104121.GQ10170@google.com> (raw)
In-Reply-To: <dd2b4ac483b54a41aff11a04b6906fd6@AcuMS.aculab.com>
On Thu, 22 Feb 2024, David Laight wrote:
> From: Justin Stitt
> > Sent: 21 February 2024 22:12
> >
> > I am going to quote Lee Jones who has been doing some snprintf ->
> > scnprintf refactorings:
> >
> > "There is a general misunderstanding amongst engineers that
> > {v}snprintf() returns the length of the data *actually* encoded into the
> > destination array. However, as per the C99 standard {v}snprintf()
> > really returns the length of the data that *would have been* written if
> > there were enough space for it. This misunderstanding has led to
> > buffer-overruns in the past. It's generally considered safer to use the
> > {v}scnprintf() variants in their place (or even sprintf() in simple
> > cases). So let's do that."
>
> While generally true, there are places that really do want to
> detect (and error) overflow.
> That isn't possible with scnprintf().
>
> I'm not sure what the solution is though.
> Having a function that returns a negative value on overflow is also
> likely to get misused.
> seq_printf() (or whatever it is called) may let you check,
> but it is hardly a cheap wrapper and a bit of a PITA to use.
I agree.
spprinf() was my favorite solution, but it seems that the lib string
people don't like to accept new functionality, even if it's a clear
improvement over the currently available solutions.
[0] https://lore.kernel.org/all/20240130160953.766676-1-lee@kernel.org/
--
Lee Jones [李琼斯]
prev parent reply other threads:[~2024-02-23 10:41 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-21 22:11 [PATCH v2] checkpatch: add check for snprintf to scnprintf Justin Stitt
2024-02-21 22:33 ` Kees Cook
2024-02-22 1:05 ` Joe Perches
2024-02-23 10:38 ` Lee Jones
2024-02-23 12:47 ` Joe Perches
2024-02-22 22:30 ` David Laight
2024-02-23 10:41 ` Lee Jones [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240223104121.GQ10170@google.com \
--to=lee@kernel.org \
--cc=David.Laight@aculab.com \
--cc=apw@canonical.com \
--cc=dwaipayanray1@gmail.com \
--cc=fthain@linux-m68k.org \
--cc=joe@perches.com \
--cc=justinstitt@google.com \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lukas.bulwahn@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox