From: Rich Felker <dalias@libc.org>
To: Paul Eggert <eggert@cs.ucla.edu>
Cc: dwheeler@dwheeler.com, libc-alpha <libc-alpha@sourceware.org>
Subject: Re: Implement C11 annex K?
Date: Fri, 22 Aug 2014 02:51:00 -0000 [thread overview]
Message-ID: <20140822025051.GN12888@brightrain.aerifal.cx> (raw)
In-Reply-To: <53F6ABC8.1060008@cs.ucla.edu>
On Thu, Aug 21, 2014 at 07:32:40PM -0700, Paul Eggert wrote:
> David A. Wheeler wrote:
>
> >I'd like to convince you to think about *risk*.
>
> I had already thought about it. There's no evidence that using
> strlcpy reduces risk significantly, compared to spending an
> equivalent amount of effort using standard alternatives. If
> anything, the little evidence we've seen indicates the contrary.
>
> Most of your email was about *style*, not about *risk*. Style
> arguments are a recipe for endless dispute, which I'd rather avoid;
> so I'll let you have the last word on style preferences. Going onto
> the technical points:
I agree totally that style arguments are a dead-end, but can we focus
on the facts (cited in the linked email from Theo) about how many
programs are using strlcpy/strlcat, and providing their own (high
risk) when the system doesn't provide one? This is the one situation
where adding strlcpy/strlcat to glibc woukd make an immediate
difference to security: programs which only define their own version
when the system lacks it would immediately get a safe version.
For other programs which are unconditionally defining their own
version, there would be no immediate effect, but it's plausible that
they would gradually transition to using the system one when it's
available.
> >>>auth.c:486:
> >>> strlcpy(buf, cp, sizeof(buf));
> >>> ... So.. do you really believe that MAXPATHLEN really is the max length?
> >>
>
> >>... this use of strlcpy has undefined behavior ...
> >
> >I don't think so. strlcpy is required to copy the source left-to-right
>
> The OpenBSD man page for strlcpy disagrees with you; see <http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man3/strlcpy.3>,
> which says "If the src and dst strings overlap, the behavior is
> undefined." If strlcpy were standardized no doubt the same language
> would apply, as it's de rigueur for the string functions.
I'm actually somewhat surprised OpenBSD specified any aspect of the
function, except passing an invalid pointer or lying about the buffer
size, to yield undefined behavior. Without looking at the man page I
thought it was more likely they might have just overlooked this issue,
if they hadn't explicitly defined the function to check for it and
either support it or consider it a reportable error.
> For the other three calls to strlcpy, you raised only style-based
> objections.
>
> So, on a technical basis we have the same results as before: of the
> five strlcpy calls you brought up, one call can have undefined
> behavior, one call does silent truncation, and the other three do
> not fix any bugs compared to using standard routines.
>
> To be honest, I was surprised by these results: I didn't think
> strlcpy would be this strikingly bad.
:-)
Rich
next prev parent reply other threads:[~2014-08-22 2:51 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1407616492.31098.ezmlm@sourceware.org>
2014-08-09 20:52 ` David A. Wheeler
2014-08-10 7:52 ` Andreas Jaeger
2014-08-10 15:03 ` Adhemerval Zanella
2014-08-11 15:32 ` Joseph S. Myers
2014-08-11 15:52 ` Paul Eggert
2014-08-11 16:06 ` Joseph S. Myers
2014-08-11 15:56 ` David A. Wheeler
2014-08-12 4:23 ` Rich Felker
[not found] ` <3565dfa0-060c-46b9-b08c-6edc4eaa1179@email.android.com>
2014-08-12 21:00 ` Rich Felker
[not found] ` <d4ae8119-f629-4235-8981-dd2ccc220fea@email.android.com>
2014-08-12 22:08 ` Rich Felker
2014-08-12 23:15 ` David A. Wheeler
2014-08-12 23:48 ` dalias
2014-08-13 19:23 ` David A. Wheeler
2014-08-13 19:44 ` Adhemerval Zanella
2014-08-13 19:45 ` Adhemerval Zanella
2014-08-13 20:49 ` Rich Felker
2014-08-13 20:41 ` dalias
2014-08-13 20:55 ` Joseph S. Myers
2014-08-13 21:25 ` Paul Eggert
2014-08-13 21:35 ` Rich Felker
2014-08-13 22:46 ` Tolga Dalman
2014-08-13 23:59 ` Russ Allbery
2014-08-14 0:55 ` Joseph S. Myers
2014-08-14 1:01 ` Russ Allbery
2014-08-14 2:25 ` Rich Felker
2014-08-14 5:25 ` Russ Allbery
2014-08-14 5:46 ` Rich Felker
2014-08-14 6:15 ` Russ Allbery
2014-08-14 9:55 ` Florian Weimer
2014-08-14 10:02 ` Andreas Schwab
2014-08-14 10:06 ` Florian Weimer
2014-08-14 10:13 ` Andreas Schwab
2014-08-14 16:26 ` Rich Felker
2014-08-14 16:53 ` Andreas Schwab
2014-08-14 17:04 ` Rich Felker
2014-08-18 7:31 ` Andreas Schwab
2014-08-18 19:20 ` Rich Felker
2014-08-14 15:20 ` Paul Eggert
2014-08-14 17:20 ` Russ Allbery
2014-08-14 17:46 ` Rich Felker
2014-08-15 7:51 ` Florian Weimer
2014-08-14 6:08 ` Paul Eggert
2014-08-15 14:25 ` David A. Wheeler
2014-08-15 15:36 ` Paul Eggert
2014-08-15 16:14 ` David A. Wheeler
2014-08-15 16:39 ` Rich Felker
2014-08-15 22:01 ` David A. Wheeler
2014-08-16 2:19 ` Rich Felker
2014-08-16 2:26 ` Russ Allbery
2014-08-16 2:49 ` Rich Felker
2014-08-16 3:03 ` Russ Allbery
2014-08-15 22:04 ` Paul Eggert
2014-08-15 22:25 ` David A. Wheeler
2014-08-15 22:43 ` Adhemerval Zanella
2014-08-16 4:41 ` David A. Wheeler
2014-08-16 5:01 ` Rich Felker
2014-08-17 18:03 ` David A. Wheeler
2014-08-17 19:05 ` dalias
2014-08-17 20:33 ` David A. Wheeler
2014-08-17 23:25 ` Rich Felker
2014-08-18 0:59 ` David A. Wheeler
2014-08-18 0:15 ` David A. Wheeler
2014-08-18 8:03 ` Paul Eggert
2014-08-18 19:22 ` Rich Felker
2014-08-21 22:45 ` David A. Wheeler
2014-08-22 0:37 ` Rich Felker
2014-08-22 1:39 ` William Park
2014-08-22 1:53 ` Jonathan Nieder
2014-08-22 4:36 ` William Park
2014-08-22 2:32 ` Paul Eggert
2014-08-22 2:51 ` Rich Felker [this message]
2014-09-08 23:21 ` David A. Wheeler
2014-09-09 3:34 ` Paul Eggert
2014-08-13 22:20 ` Time to add strlcpy/strlcat FINALLY David A. Wheeler
2014-08-14 1:09 ` Paul Eggert
2014-08-14 2:34 ` Rich Felker
2014-08-14 3:02 ` William Park
2014-08-14 13:01 ` Mike Frysinger
2014-08-15 10:37 ` Michael Kerrisk (man-pages)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140822025051.GN12888@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=dwheeler@dwheeler.com \
--cc=eggert@cs.ucla.edu \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).