From: Paul Eggert <eggert@cs.ucla.edu>
To: Florian Weimer <fweimer@redhat.com>
Cc: libc-alpha@sourceware.org
Subject: Re: [PATCH 0/2] strlcpy/strlcat/wcslcpy/wcscat implementation
Date: Sat, 8 Apr 2023 15:05:38 -0700 [thread overview]
Message-ID: <5df7f354-f571-d358-5d66-46f02f70e0d1@cs.ucla.edu> (raw)
In-Reply-To: <cover.1680693362.git.fweimer@redhat.com>
On 4/5/23 04:20, Florian Weimer wrote:
> Paul, the Austin Groups issue you raised has been closed. Do you keep
> your sustained objection to adding these functions to glibc?
Yes, I'll withdraw that objection if we add the functions in a good way.
Compatibility with POSIX is more important than omitting a misguided
API, so long as the harm is limited to people who insist on using the
API despite being warned.
By "good way" I mean the following three things.
1. Fix the manual to agree with draft POSIX (currently it disagrees).
Also, the manual should mention the same sort of problems for
strlcpy/etc. that it already mentions for strncpy/etc. - truncation can
lead to security problems, non-text strings, that sort of thing.
2. Do not implement these functions via memcpy or strnlen or anything
like that. Just use simple code like OpenBSD's. Preferably just use
OpenBSD code as-is. Otherwise we have the danger of straying from
OpenBSD semantics. This danger is already present in the proposed
patches, which have undefined behavior in rare cases where OpenBSD's
behavior is well-defined and where draft POSIX specifies the OpenBSD
behavior.
We don't have time to formally verify or otherwise carefully audit this
code, so this is no place to bikeshed or optimize. The goal is
compatibility, not speed. Besides, strlcpy destinations and sources are
almost always small, so in practice using memcpy etc. will likely be
slower than just doing things the OpenBSD way.
3. The patch should be more conservative: it should declare these
functions in string.h only on user request, i.e., only when compiled
with -D_XOPEN_SOURCE=800 (or -D_POSIX_C_SOURCE=2023mmL) without
-D_GNU_SOURCE. (We can add a new _STRLCPY_SOURCE macro too if that would
be helpful, to selectively make these new functions visible.) This will
suffice for POSIX conformance, and it will help avoid bugs when existing
applications that already supply their own slightly-different strlcpy
substitutes are compiled with new glibc: it will give these apps'
maintainers the ability to decide after their own manual inspection
whether and when to switch to glibc's strlcpy.
I'll follow up with more detailed comments on individual patches. And
I'll volunteer to do (1), which is likely the most work anyway. I've
already done much of (1) and will attach that to my detailed comments.
prev parent reply other threads:[~2023-04-08 22:05 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-05 11:20 Florian Weimer
2023-04-05 11:20 ` [PATCH 1/2] Implement strlcpy and strlcat [BZ #178] Florian Weimer
2023-04-05 13:18 ` Adhemerval Zanella Netto
2023-04-06 9:18 ` Florian Weimer
2023-04-06 14:22 ` Siddhesh Poyarekar
2023-04-06 15:09 ` Florian Weimer
2023-04-06 21:29 ` Alejandro Colomar
2023-04-11 14:28 ` Siddhesh Poyarekar
2023-04-20 10:55 ` Florian Weimer
2023-04-20 11:45 ` Siddhesh Poyarekar
2023-04-21 17:45 ` Florian Weimer
2023-04-06 21:21 ` Alejandro Colomar
2023-04-06 21:35 ` Florian Weimer
2023-04-06 22:15 ` Alejandro Colomar
2023-04-06 22:19 ` Alejandro Colomar
2023-04-06 22:34 ` Alejandro Colomar
2023-04-08 22:08 ` Paul Eggert
2023-04-09 15:29 ` Paul Eggert
2023-04-13 11:37 ` Florian Weimer
2023-04-13 14:39 ` Paul Eggert
2023-04-13 17:59 ` Paul Eggert
2023-04-20 8:07 ` Florian Weimer
2023-04-21 19:00 ` Paul Eggert
2023-04-28 8:49 ` Florian Weimer
2023-04-05 11:20 ` [PATCH 2/2] Add the wcslcpy, wcslcat functions Florian Weimer
2023-04-08 22:09 ` Paul Eggert
2023-04-05 12:30 ` [PATCH 0/2] strlcpy/strlcat/wcslcpy/wcscat implementation Alejandro Colomar
2023-04-08 22:05 ` Paul Eggert [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5df7f354-f571-d358-5d66-46f02f70e0d1@cs.ucla.edu \
--to=eggert@cs.ucla.edu \
--cc=fweimer@redhat.com \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).