From: Rich Felker <dalias@libc.org>
To: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Cc: libc-alpha@sourceware.org
Subject: Re: Implement C11 annex K?
Date: Wed, 13 Aug 2014 20:49:00 -0000 [thread overview]
Message-ID: <20140813204901.GP12888@brightrain.aerifal.cx> (raw)
In-Reply-To: <53EBBFFE.4000206@linux.vnet.ibm.com>
On Wed, Aug 13, 2014 at 04:43:58PM -0300, Adhemerval Zanella wrote:
> On 13-08-2014 16:23, David A. Wheeler wrote:
> > On Tue, 12 Aug 2014 19:48:17 -0400, dalias <dalias@libc.org> wrote:
> >> I'd much rather see strlcpy/strlcat added.
> > I'd be happy to have someone work to add strlcpy/strlcat, and
> > I'd be happy to focus on doing that *first*.
> > After all, strlcpy/strlcat are short, well-understood, and easy-to-use.
> > I see no need to put strlcpy/strlcat in a separate lib_s file, since they're short.
> > Annex K has other capabilities I'd like to see, and is a formal standard, but
> > staging work is fine. I suspect that strlcpy/strlcat could help in implementing strcpy_s
> > (I'd have to check to make sure).
> >
> > So... would a high-quality strlcpy/strlcat patch be (FINALLY!) accepted?
>
> From time to time it arises and there is small FAQ about it [1]. Bottom line: it is not
> consensus that the strlcpy/strlcat functions provides any more 'safety'. You can check
> glibc alpha history and there are number of cases saying that it does not in fact, this is
> just and example [2].
I agree that these functions don't much to fix the underlying broken
and often insecure idioms of copying and concatenating strings, and I
don't like them and never recommend using them. But I still am in
favor of adding them to glibc, because lots of programs provide their
own when the system lacks them, and at least 75% of the reinvented
versions I've seen have critical bugs. So my main motivation for
wanting strlcpy/strlcat in glibc is just to prevent the buggy
application-provided ones from getting selected at configure time.
> I personally see compiler driver directives (like -D_FORTIFY_SOURCE or ASAN), runtime
> checks (like valgrind), or even higher level languages constructs (like std::string) to
> provide safety in a much more clean way. But I no expert in security...
-D_FORTIFY_SOURCE indeed tends to do a much better job, but it's a
"best effort" thing -- it's dependent on the compiler's analysis to
know object sizes, and if the compiler fails to do the necessary
analysis (e.g. at -O0) it fails open. Still I'd trust the compiler
more to get the actual object sizes right than I would trust the
programmer to get the args to the annex K functions right.
Rich
next prev parent reply other threads:[~2014-08-13 20:49 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1407616492.31098.ezmlm@sourceware.org>
2014-08-09 20:52 ` David A. Wheeler
2014-08-10 7:52 ` Andreas Jaeger
2014-08-10 15:03 ` Adhemerval Zanella
2014-08-11 15:32 ` Joseph S. Myers
2014-08-11 15:52 ` Paul Eggert
2014-08-11 16:06 ` Joseph S. Myers
2014-08-11 15:56 ` David A. Wheeler
2014-08-12 4:23 ` Rich Felker
[not found] ` <3565dfa0-060c-46b9-b08c-6edc4eaa1179@email.android.com>
2014-08-12 21:00 ` Rich Felker
[not found] ` <d4ae8119-f629-4235-8981-dd2ccc220fea@email.android.com>
2014-08-12 22:08 ` Rich Felker
2014-08-12 23:15 ` David A. Wheeler
2014-08-12 23:48 ` dalias
2014-08-13 19:23 ` David A. Wheeler
2014-08-13 19:44 ` Adhemerval Zanella
2014-08-13 19:45 ` Adhemerval Zanella
2014-08-13 20:49 ` Rich Felker [this message]
2014-08-13 20:41 ` dalias
2014-08-13 20:55 ` Joseph S. Myers
2014-08-13 21:25 ` Paul Eggert
2014-08-13 21:35 ` Rich Felker
2014-08-13 22:46 ` Tolga Dalman
2014-08-13 23:59 ` Russ Allbery
2014-08-14 0:55 ` Joseph S. Myers
2014-08-14 1:01 ` Russ Allbery
2014-08-14 2:25 ` Rich Felker
2014-08-14 5:25 ` Russ Allbery
2014-08-14 5:46 ` Rich Felker
2014-08-14 6:15 ` Russ Allbery
2014-08-14 9:55 ` Florian Weimer
2014-08-14 10:02 ` Andreas Schwab
2014-08-14 10:06 ` Florian Weimer
2014-08-14 10:13 ` Andreas Schwab
2014-08-14 16:26 ` Rich Felker
2014-08-14 16:53 ` Andreas Schwab
2014-08-14 17:04 ` Rich Felker
2014-08-18 7:31 ` Andreas Schwab
2014-08-18 19:20 ` Rich Felker
2014-08-14 15:20 ` Paul Eggert
2014-08-14 17:20 ` Russ Allbery
2014-08-14 17:46 ` Rich Felker
2014-08-15 7:51 ` Florian Weimer
2014-08-14 6:08 ` Paul Eggert
2014-08-15 14:25 ` David A. Wheeler
2014-08-15 15:36 ` Paul Eggert
2014-08-15 16:14 ` David A. Wheeler
2014-08-15 16:39 ` Rich Felker
2014-08-15 22:01 ` David A. Wheeler
2014-08-16 2:19 ` Rich Felker
2014-08-16 2:26 ` Russ Allbery
2014-08-16 2:49 ` Rich Felker
2014-08-16 3:03 ` Russ Allbery
2014-08-15 22:04 ` Paul Eggert
2014-08-15 22:25 ` David A. Wheeler
2014-08-15 22:43 ` Adhemerval Zanella
2014-08-16 4:41 ` David A. Wheeler
2014-08-16 5:01 ` Rich Felker
2014-08-17 18:03 ` David A. Wheeler
2014-08-17 19:05 ` dalias
2014-08-17 20:33 ` David A. Wheeler
2014-08-17 23:25 ` Rich Felker
2014-08-18 0:59 ` David A. Wheeler
2014-08-18 0:15 ` David A. Wheeler
2014-08-18 8:03 ` Paul Eggert
2014-08-18 19:22 ` Rich Felker
2014-08-21 22:45 ` David A. Wheeler
2014-08-22 0:37 ` Rich Felker
2014-08-22 1:39 ` William Park
2014-08-22 1:53 ` Jonathan Nieder
2014-08-22 4:36 ` William Park
2014-08-22 2:32 ` Paul Eggert
2014-08-22 2:51 ` Rich Felker
2014-09-08 23:21 ` David A. Wheeler
2014-09-09 3:34 ` Paul Eggert
2014-08-13 22:20 ` Time to add strlcpy/strlcat FINALLY David A. Wheeler
2014-08-14 1:09 ` Paul Eggert
2014-08-14 2:34 ` Rich Felker
2014-08-14 3:02 ` William Park
2014-08-14 13:01 ` Mike Frysinger
2014-08-15 10:37 ` Michael Kerrisk (man-pages)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140813204901.GP12888@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=azanella@linux.vnet.ibm.com \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).