From: "David A. Wheeler" <dwheeler@dwheeler.com>
To: "azanella" <azanella@linux.vnet.ibm.com>
Cc: "libc-alpha" <libc-alpha@sourceware.org>
Subject: Re: Implement C11 annex K?
Date: Sat, 16 Aug 2014 04:41:00 -0000 [thread overview]
Message-ID: <E1XIVnI-0004Zb-FF@rmm6prod02.runbox.com> (raw)
In-Reply-To: <53EE8D17.6020002@linux.vnet.ibm.com>
On Fri, 15 Aug 2014 19:43:35 -0300, Adhemerval Zanella <azanella@linux.vnet.ibm.com> wrote:
> Well, from last kernel developers iterations [1], I would say these functions
> are also not well-liked in Linux...
> [1] https://plus.google.com/111049168280159033135/posts/1amLbuhWbh5
Well, let's take a look...
>David Herrmann originally shared:
>> A big thanks to BSD for introducing the safe strlcpy as replacement for strncpy. There's no unexpected behavior anymo-- wait, no.. oh god! strlcpy requires the source to be 0 terminated, even if its longer than the target size. Why? Of course, so the return-value can be the length of the string that was tried to be written, instead of the real written length.
> Not the first time I see kernel-patches replacing the good old:
> strncpy(kernel, from_user, len - 1) + kernel[len] = 0
> with:
> strlcpy(kernel, from_user, len)
The "recommended" approach using strncpy is absurd. As Linus Torvalds quickly responds on Jul 28, 2014
> Well, to be fair, "strncpy()" sucks too. It does the insane "pad with zero" which is a performance disaster with any sanely sized buffers.
Good thing we have snprintf to the rescue!! Oh wait, that *also* reads from the source even if it's longer than the target size.
I actually think that David Herrmann has a good point. However, the usually-recommended alternatives, strncpy and snprintf, have the same semantics. If strlcpy/strlcat are to be faulted for this, then strncpy and snprintf should be rejected for the same reasons.
Now, it *is* true that Linus Torvalds continues with:
> And yeah, the strlcpy return value is broken by design.
> If you're actually copying from user space in the kernel, do
> ret = strncpy_from_user(buf, userptr, len);
> if (ret < 0) return ret;
> if (ret == len) return -ETOOLONG;
There is no similar function in glibc to my knowledge. (I think the return value should just be negative if the data reaches len, to simplify truncation handling and force a strlcpy-like guarantee that the dest is terminated if it has length.) Would something like that be more acceptable, since that would overcome the objection above, and obviously the Linux kernel developers *do* use a special copying routine for copying up to a given length into fixed-size buffers?
--- David A. Wheeler
next prev parent reply other threads:[~2014-08-16 4:41 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1407616492.31098.ezmlm@sourceware.org>
2014-08-09 20:52 ` David A. Wheeler
2014-08-10 7:52 ` Andreas Jaeger
2014-08-10 15:03 ` Adhemerval Zanella
2014-08-11 15:32 ` Joseph S. Myers
2014-08-11 15:52 ` Paul Eggert
2014-08-11 16:06 ` Joseph S. Myers
2014-08-11 15:56 ` David A. Wheeler
2014-08-12 4:23 ` Rich Felker
[not found] ` <3565dfa0-060c-46b9-b08c-6edc4eaa1179@email.android.com>
2014-08-12 21:00 ` Rich Felker
[not found] ` <d4ae8119-f629-4235-8981-dd2ccc220fea@email.android.com>
2014-08-12 22:08 ` Rich Felker
2014-08-12 23:15 ` David A. Wheeler
2014-08-12 23:48 ` dalias
2014-08-13 19:23 ` David A. Wheeler
2014-08-13 19:44 ` Adhemerval Zanella
2014-08-13 19:45 ` Adhemerval Zanella
2014-08-13 20:49 ` Rich Felker
2014-08-13 20:41 ` dalias
2014-08-13 20:55 ` Joseph S. Myers
2014-08-13 21:25 ` Paul Eggert
2014-08-13 21:35 ` Rich Felker
2014-08-13 22:46 ` Tolga Dalman
2014-08-13 23:59 ` Russ Allbery
2014-08-14 0:55 ` Joseph S. Myers
2014-08-14 1:01 ` Russ Allbery
2014-08-14 2:25 ` Rich Felker
2014-08-14 5:25 ` Russ Allbery
2014-08-14 5:46 ` Rich Felker
2014-08-14 6:15 ` Russ Allbery
2014-08-14 9:55 ` Florian Weimer
2014-08-14 10:02 ` Andreas Schwab
2014-08-14 10:06 ` Florian Weimer
2014-08-14 10:13 ` Andreas Schwab
2014-08-14 16:26 ` Rich Felker
2014-08-14 16:53 ` Andreas Schwab
2014-08-14 17:04 ` Rich Felker
2014-08-18 7:31 ` Andreas Schwab
2014-08-18 19:20 ` Rich Felker
2014-08-14 15:20 ` Paul Eggert
2014-08-14 17:20 ` Russ Allbery
2014-08-14 17:46 ` Rich Felker
2014-08-15 7:51 ` Florian Weimer
2014-08-14 6:08 ` Paul Eggert
2014-08-15 14:25 ` David A. Wheeler
2014-08-15 15:36 ` Paul Eggert
2014-08-15 16:14 ` David A. Wheeler
2014-08-15 16:39 ` Rich Felker
2014-08-15 22:01 ` David A. Wheeler
2014-08-16 2:19 ` Rich Felker
2014-08-16 2:26 ` Russ Allbery
2014-08-16 2:49 ` Rich Felker
2014-08-16 3:03 ` Russ Allbery
2014-08-15 22:04 ` Paul Eggert
2014-08-15 22:25 ` David A. Wheeler
2014-08-15 22:43 ` Adhemerval Zanella
2014-08-16 4:41 ` David A. Wheeler [this message]
2014-08-16 5:01 ` Rich Felker
2014-08-17 18:03 ` David A. Wheeler
2014-08-17 19:05 ` dalias
2014-08-17 20:33 ` David A. Wheeler
2014-08-17 23:25 ` Rich Felker
2014-08-18 0:59 ` David A. Wheeler
2014-08-18 0:15 ` David A. Wheeler
2014-08-18 8:03 ` Paul Eggert
2014-08-18 19:22 ` Rich Felker
2014-08-21 22:45 ` David A. Wheeler
2014-08-22 0:37 ` Rich Felker
2014-08-22 1:39 ` William Park
2014-08-22 1:53 ` Jonathan Nieder
2014-08-22 4:36 ` William Park
2014-08-22 2:32 ` Paul Eggert
2014-08-22 2:51 ` Rich Felker
2014-09-08 23:21 ` David A. Wheeler
2014-09-09 3:34 ` Paul Eggert
2014-08-13 22:20 ` Time to add strlcpy/strlcat FINALLY David A. Wheeler
2014-08-14 1:09 ` Paul Eggert
2014-08-14 2:34 ` Rich Felker
2014-08-14 3:02 ` William Park
2014-08-14 13:01 ` Mike Frysinger
2014-08-15 10:37 ` Michael Kerrisk (man-pages)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=E1XIVnI-0004Zb-FF@rmm6prod02.runbox.com \
--to=dwheeler@dwheeler.com \
--cc=azanella@linux.vnet.ibm.com \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).