From: Scott Wood <scottwood@freescale.com>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH 0/4] Buffer overruns in printf
Date: Mon, 26 Sep 2011 17:28:34 -0500 [thread overview]
Message-ID: <4E80FC92.9040500@freescale.com> (raw)
In-Reply-To: <4E806006.2060105@aribaud.net>
On 09/26/2011 06:20 AM, Albert ARIBAUD wrote:
> Hi Simon,
>
> Le 25/09/2011 16:50, Simon Glass a ?crit :
>
>>> Basically, printf family functions which do not have the 'n' are *know* by
>>> all -- experienced enough :) -- programmers to be *unsafe* (but to require
>>> less from the caller)
printf()/fprintf() are usually safe enough for the things they're used for.
> and it should remain so: no programmer should ever
>>> encounter an implementation of printf that pretends to be even somewhat
>>> safe, because it might bite him/her elsewhere, in another project based on
>>> another C library where printf is just the beartrap it usually is.
And we should mount large spikes on every steering wheel to make people
drive more carefully. :-P
> I should clarify indeed. My opinion, expressed as a single general rule,
> is "keep the known semantics of *printf() function family unchanged in
> U-Boot wrt all other printif implementations around". Thus I think that:
FWIW, Linux's printk() truncates output if it exceeds the internal
buffer. glibc's is an ugly mess, but appears to not need a fixed printf
buffer -- it streams output into its file buffering mechanism. That
there may be some crappy implementations out there is no excuse for
making these functions difficult to use everywhere.
> Conversively, implementers of the printf() function need not
> consider any specific recovery action with regard to size issues. For
> instance, why do we have an internal buffer for printf to begin with?
> The implementation does not need them
Apparently this implementation does. I suppose you could rewrite the
code to not need one, but is that really worthwhile here, compared to
this easy and virtually cost-free (once you have snprintf) form of
damage control? It's just passing in a meaningful number to vsnprintf
instead of INT_MAX. You could save some bytes by removing vsprintf(),
as well.
> (and besides, I guess the buffer
> does not respect the single C99 environmental constraint for printf,
> that any field should be able to be at least 4095 bytes -- no kidding).
That this minimum is more than most boards allow for the entire output,
and that it is board-specific (so it could work for one board but fail
for another), are all the more reason to want some safety here. I'd
much rather see a truncated message (and proceed to fix the obvious bug)
than have to debug corruption and possibly recover a bricked board.
> - users who actually wisht to limit outpout ca use either
You say "actually wish to limit output" as if "let it corrupt memory if
it's too large" is the normal thing to want.
-scott
next prev parent reply other threads:[~2011-09-26 22:28 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-23 17:38 [U-Boot] [PATCH 0/4] Buffer overruns in printf Simon Glass
2011-09-23 17:38 ` [U-Boot] [PATCH 1/4] Add limits.h to hold basic limits Simon Glass
2011-09-23 17:38 ` [U-Boot] [PATCH 2/4] Add safe vsnprintf and snprintf library functions Simon Glass
2011-09-23 23:56 ` Graeme Russ
2011-09-28 23:26 ` Sonny Rao
2011-09-29 0:00 ` Graeme Russ
2011-09-29 0:38 ` Sonny Rao
2011-09-29 0:44 ` Graeme Russ
2011-09-23 17:38 ` [U-Boot] [PATCH 3/4] Make printf and vprintf safe from buffer overruns Simon Glass
2011-09-23 18:36 ` Kumar Gala
2011-09-23 18:48 ` Simon Glass
2011-09-23 20:31 ` Mike Frysinger
2011-09-23 20:41 ` Simon Glass
2011-09-23 22:36 ` Mike Frysinger
2011-09-23 23:06 ` Simon Glass
2011-09-25 20:16 ` Wolfgang Denk
2011-09-25 20:14 ` Wolfgang Denk
2011-09-26 18:25 ` Simon Glass
2011-09-26 18:47 ` Wolfgang Denk
2011-09-26 19:02 ` Simon Glass
2011-09-23 17:38 ` [U-Boot] [PATCH 4/4] Use snprintf() in network code Simon Glass
2011-09-23 18:15 ` Mike Frysinger
2011-09-23 18:30 ` Simon Glass
2011-09-23 20:09 ` Mike Frysinger
2011-09-23 20:39 ` Simon Glass
2011-09-23 20:40 ` [U-Boot] [PATCH 0/4] Buffer overruns in printf Albert ARIBAUD
2011-09-23 20:46 ` Simon Glass
2011-09-24 9:37 ` Albert ARIBAUD
2011-09-24 14:00 ` Simon Glass
2011-09-25 8:40 ` Albert ARIBAUD
2011-09-25 14:50 ` Simon Glass
2011-09-26 11:20 ` Albert ARIBAUD
2011-09-26 17:50 ` Simon Glass
2011-09-26 18:36 ` Wolfgang Denk
2011-09-26 22:28 ` Scott Wood [this message]
2011-09-27 6:52 ` Albert ARIBAUD
2011-10-10 19:06 ` Simon Glass
2011-10-10 20:36 ` Wolfgang Denk
2011-10-10 20:42 ` Simon Glass
2011-09-25 20:04 ` Wolfgang Denk
2011-09-26 17:30 ` Simon Glass
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E80FC92.9040500@freescale.com \
--to=scottwood@freescale.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox