Re: [PATCH 0/2] strlcpy/strlcat/wcslcpy/wcscat implementation

public inbox for libc-alpha@sourceware.org
 help / color / mirror / Atom feed

From: Paul Eggert <eggert@cs.ucla.edu>
To: Florian Weimer <fweimer@redhat.com>
Cc: libc-alpha@sourceware.org
Subject: Re: [PATCH 0/2] strlcpy/strlcat/wcslcpy/wcscat implementation
Date: Sat, 8 Apr 2023 15:05:38 -0700	[thread overview]
Message-ID: <5df7f354-f571-d358-5d66-46f02f70e0d1@cs.ucla.edu> (raw)
In-Reply-To: <cover.1680693362.git.fweimer@redhat.com>

On 4/5/23 04:20, Florian Weimer wrote:
> Paul, the Austin Groups issue you raised has been closed.  Do you keep
> your sustained objection to adding these functions to glibc?

Yes, I'll withdraw that objection if we add the functions in a good way. 
Compatibility with POSIX is more important than omitting a misguided 
API, so long as the harm is limited to people who insist on using the 
API despite being warned.

By "good way" I mean the following three things.

1. Fix the manual to agree with draft POSIX (currently it disagrees). 
Also, the manual should mention the same sort of problems for 
strlcpy/etc. that it already mentions for strncpy/etc. - truncation can 
lead to security problems, non-text strings, that sort of thing.

2. Do not implement these functions via memcpy or strnlen or anything 
like that. Just use simple code like OpenBSD's. Preferably just use 
OpenBSD code as-is. Otherwise we have the danger of straying from 
OpenBSD semantics. This danger is already present in the proposed 
patches, which have undefined behavior in rare cases where OpenBSD's 
behavior is well-defined and where draft POSIX specifies the OpenBSD 
behavior.

We don't have time to formally verify or otherwise carefully audit this 
code, so this is no place to bikeshed or optimize. The goal is 
compatibility, not speed. Besides, strlcpy destinations and sources are 
almost always small, so in practice using memcpy etc. will likely be 
slower than just doing things the OpenBSD way.

3. The patch should be more conservative: it should declare these 
functions in string.h only on user request, i.e., only when compiled 
with -D_XOPEN_SOURCE=800 (or -D_POSIX_C_SOURCE=2023mmL) without 
-D_GNU_SOURCE. (We can add a new _STRLCPY_SOURCE macro too if that would 
be helpful, to selectively make these new functions visible.) This will 
suffice for POSIX conformance, and it will help avoid bugs when existing 
applications that already supply their own slightly-different strlcpy 
substitutes are compiled with new glibc: it will give these apps' 
maintainers the ability to decide after their own manual inspection 
whether and when to switch to glibc's strlcpy.

I'll follow up with more detailed comments on individual patches. And 
I'll volunteer to do (1), which is likely the most work anyway. I've 
already done much of (1) and will attach that to my detailed comments.

     prev parent reply	other threads:[~2023-04-08 22:05 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-04-05 11:20 Florian Weimer
2023-04-05 11:20 ` [PATCH 1/2] Implement strlcpy and strlcat [BZ #178] Florian Weimer
2023-04-05 13:18   ` Adhemerval Zanella Netto
2023-04-06  9:18     ` Florian Weimer
2023-04-06 14:22   ` Siddhesh Poyarekar
2023-04-06 15:09     ` Florian Weimer
2023-04-06 21:29     ` Alejandro Colomar
2023-04-11 14:28       ` Siddhesh Poyarekar
2023-04-20 10:55     ` Florian Weimer
2023-04-20 11:45       ` Siddhesh Poyarekar
2023-04-21 17:45         ` Florian Weimer
2023-04-06 21:21   ` Alejandro Colomar
2023-04-06 21:35     ` Florian Weimer
2023-04-06 22:15       ` Alejandro Colomar
2023-04-06 22:19       ` Alejandro Colomar
2023-04-06 22:34     ` Alejandro Colomar
2023-04-08 22:08   ` Paul Eggert
2023-04-09 15:29     ` Paul Eggert
2023-04-13 11:37       ` Florian Weimer
2023-04-13 14:39         ` Paul Eggert
2023-04-13 17:59           ` Paul Eggert
2023-04-20  8:07     ` Florian Weimer
2023-04-21 19:00       ` Paul Eggert
2023-04-28  8:49         ` Florian Weimer
2023-04-05 11:20 ` [PATCH 2/2] Add the wcslcpy, wcslcat functions Florian Weimer
2023-04-08 22:09   ` Paul Eggert
2023-04-05 12:30 ` [PATCH 0/2] strlcpy/strlcat/wcslcpy/wcscat implementation Alejandro Colomar
2023-04-08 22:05 ` Paul Eggert [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5df7f354-f571-d358-5d66-46f02f70e0d1@cs.ucla.edu \
    --to=eggert@cs.ucla.edu \
    --cc=fweimer@redhat.com \
    --cc=libc-alpha@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).