Re: [PATCH 0/3] cmd: setexpr: add fmt format string operation

[Marek Behun <marek.behun@nic.cz>]

On Tue, 29 Jun 2021 09:41:25 +0000
"Roland Gaudig (OSS)" <roland.gaudig-oss@weidmueller.com> wrote:

> I think just passing the format string directly to sprintf should be
> avoided because it is unsafe. For example
> 
> => setexpr foo fmt %s 0xffffffff  
> 
> would surely lead to access on memory location outside the variable
> where 0xffffffff is stored.

+1. I guess Wolfgang's rationale was that in U-Boot we already have
pretty serious means to break the system, so allowing the user to
directly pass wrong parameters to sprintf is not that much of a problem
since we can say that the user should know what they are doing.

But implementing a dedicated format parser for this that is also safe
is a simple exercise, imho, so I think we should do this properly, if
at all.

> > This was actually one of my intentions when making this suggestion -
> > to be able to construct any kind of data from pieces; say, for
> > example:
> >   
> > => setexpr foo fmt "%0x08x-%s-%d-%s" $a $b $c $d  
> 
> I think the only way to support such expressions in a save way would
> be implementing an own format string parser for setexpr with
> corresponding checks if access is possible, instead of just directly
> passing all values unchecked to sprintf.

We can properly implement
 %s with field width, justification

 %c

 integral types (everything 64-bits, no reason for length modifiers,
 imho) with field width, precision, zero padding, sign forcing,
 etc...

We don't need floating points nor out of order arguments.

Marek