From: Albert ARIBAUD <albert.u.boot@aribaud.net>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH 0/4] Buffer overruns in printf
Date: Sun, 25 Sep 2011 10:40:48 +0200 [thread overview]
Message-ID: <4E7EE910.8090504@aribaud.net> (raw)
In-Reply-To: <CAPnjgZ23C8HtVd702e7hhnBv0F+C4tUkEHycKg1_VEviYVvBMQ@mail.gmail.com>
Le 24/09/2011 16:00, Simon Glass a ?crit :
>> So basically the choice is between:
>>
>> - adding code to the printf() family to try and fix an issue that it is
>> fundamentally unable to properly fix, and for which a solution exists, or
>>
>> - grepping and fixing calls to *sprintf() in U-Boot that do not respect the
>> known contraints of printf(), by resizing the buffer or calling *snprintf()
>> instead.
>>
>> I am definitely not in favor of the first option concerning U-Boot.
>
> Sounds fine to me. So I think we need the nprintf() variants in there,
> but the message is not to use them willy nilly. Going back to my patch
> series, 3/4 is ok, but 4/4 mostly crosses the line. Do I have that
> right?
It is the exact opposite for me : 3/4 makes all printf functions work
like some kind of *nprintf(), while 4/4 is about the network code
switching to *nprintf() for safety, so 3/4 would be nak and 4/4 ack as
far as I am concerned.
Basically, printf family functions which do not have the 'n' are *know*
by all -- experienced enough :) -- programmers to be *unsafe* (but to
require less from the caller) and it should remain so: no programmer
should ever encounter an implementation of printf that pretends to be
even somewhat safe, because it might bite him/her elsewhere, in another
project based on another C library where printf is just the beartrap it
usually is.
IOW, programmers already have assumptions about *printf(), including how
to deal with length limitations and what happens if you don't, and it is
best that these assumption remain true whatever project they work with.
> By the way, printf() ends up calling the same code, but without limit
> checking in place. The alternative is to duplicate all the format
> string processing code (a limit-checking version and an unchecked
> version) which would be worse.
I don't intend to dictate the way things can be implemented, so the
degree of code reuse is an open question as far as I am concerned. I am
only voicing my opinion that *printf() APIs and their contracts should
remain identical across all implementations of *printf(), and thus that
providing *nprintf() where they don't exist is commandable, but
hardening printf() is not, since you basically cannot do it without
somewhat departing from the de facto standard.
> Regards,
> Simon
Amicalement,
--
Albert.
next prev parent reply other threads:[~2011-09-25 8:40 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-23 17:38 [U-Boot] [PATCH 0/4] Buffer overruns in printf Simon Glass
2011-09-23 17:38 ` [U-Boot] [PATCH 1/4] Add limits.h to hold basic limits Simon Glass
2011-09-23 17:38 ` [U-Boot] [PATCH 2/4] Add safe vsnprintf and snprintf library functions Simon Glass
2011-09-23 23:56 ` Graeme Russ
2011-09-28 23:26 ` Sonny Rao
2011-09-29 0:00 ` Graeme Russ
2011-09-29 0:38 ` Sonny Rao
2011-09-29 0:44 ` Graeme Russ
2011-09-23 17:38 ` [U-Boot] [PATCH 3/4] Make printf and vprintf safe from buffer overruns Simon Glass
2011-09-23 18:36 ` Kumar Gala
2011-09-23 18:48 ` Simon Glass
2011-09-23 20:31 ` Mike Frysinger
2011-09-23 20:41 ` Simon Glass
2011-09-23 22:36 ` Mike Frysinger
2011-09-23 23:06 ` Simon Glass
2011-09-25 20:16 ` Wolfgang Denk
2011-09-25 20:14 ` Wolfgang Denk
2011-09-26 18:25 ` Simon Glass
2011-09-26 18:47 ` Wolfgang Denk
2011-09-26 19:02 ` Simon Glass
2011-09-23 17:38 ` [U-Boot] [PATCH 4/4] Use snprintf() in network code Simon Glass
2011-09-23 18:15 ` Mike Frysinger
2011-09-23 18:30 ` Simon Glass
2011-09-23 20:09 ` Mike Frysinger
2011-09-23 20:39 ` Simon Glass
2011-09-23 20:40 ` [U-Boot] [PATCH 0/4] Buffer overruns in printf Albert ARIBAUD
2011-09-23 20:46 ` Simon Glass
2011-09-24 9:37 ` Albert ARIBAUD
2011-09-24 14:00 ` Simon Glass
2011-09-25 8:40 ` Albert ARIBAUD [this message]
2011-09-25 14:50 ` Simon Glass
2011-09-26 11:20 ` Albert ARIBAUD
2011-09-26 17:50 ` Simon Glass
2011-09-26 18:36 ` Wolfgang Denk
2011-09-26 22:28 ` Scott Wood
2011-09-27 6:52 ` Albert ARIBAUD
2011-10-10 19:06 ` Simon Glass
2011-10-10 20:36 ` Wolfgang Denk
2011-10-10 20:42 ` Simon Glass
2011-09-25 20:04 ` Wolfgang Denk
2011-09-26 17:30 ` Simon Glass
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E7EE910.8090504@aribaud.net \
--to=albert.u.boot@aribaud.net \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox