From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from beige.elm.relay.mailchannels.net (beige.elm.relay.mailchannels.net [23.83.212.16]) by sourceware.org (Postfix) with ESMTPS id E71B33858C5E for ; Mon, 20 Mar 2023 12:05:35 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E71B33858C5E Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 896D442E02; Mon, 20 Mar 2023 12:05:34 +0000 (UTC) Received: from pdx1-sub0-mail-a306.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 292FC42E1A; Mon, 20 Mar 2023 12:05:34 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1679313934; a=rsa-sha256; cv=none; b=ibcuwTjDGCPqGXT8WrR5lEmJPqtjHADrSdDMu2cW5UU6/B720waq1HpMUNqN+5JlMNd8mR 0G2sUxg0M8ez46g84w7qaU0vXjIS/jVdYxnhJ1ROHyK0Ly7N3DIsQDCAVLjbhjSgioPbF1 zhH445Nvy6fplzfTYntrabcOemvFNj8gWse00kQOXgp5A2TPEppa9QHb6buXIvl8N6DY27 7W1kYFJycfdfzjf9TeciyK8oRrNI3+m2XDxwHTVXsGZVHCXlR+6ov3RBgSNBLTcsU6sr/5 HJcGLqcTlQ0BTq7SUxQ9vunEjeyTOJ8Ru7v2qGYcYaIVSGng8ixBRxvVgJZfFg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1679313934; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=s1hWCp+twHj83mBnPdZ5vLvPGRJn9KiGZ4e0SomGsNw=; b=NkFMuz2yGzDkD//Ca3lAWcHsKMCDYrBfENQ0CZ9x8sCMmMvkbzppz/prgX6AK+C9/WH7y6 j0M6cRMPBfwqTT2idmu+7Gc2mR7WD8m4snSxGZaHqPbXh7vzU2nS0bvMcQJ8sj491IQmhO 3izcESHfrdLhh65SsOIY5tE2T14H3MPQXGEIroEUhnMI6YQ+dpyWoWQa8EAI5nUzux2BNu 0GPUisT6AiVFeaABuHumGP12H6M/47nA42nDRjUDfCOEKe4Wb43KWe3pQeG3zMAzQjr+eQ DcZtn5TEwAciapPim/NYaj9/Bso69lLm48XQXYvu4QsRbsPKVeyGdkZun3a2Ag== ARC-Authentication-Results: i=1; rspamd-766d96cb5b-fmk54; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Shrill-Spicy: 3cab20756ac48dca_1679313934391_781450222 X-MC-Loop-Signature: 1679313934391:2605862163 X-MC-Ingress-Time: 1679313934390 Received: from pdx1-sub0-mail-a306.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.125.42.137 (trex/6.7.2); Mon, 20 Mar 2023 12:05:34 +0000 Received: from [192.168.0.182] (bras-vprn-toroon4834w-lp130-09-174-91-45-153.dsl.bell.ca [174.91.45.153]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a306.dreamhost.com (Postfix) with ESMTPSA id 4PgD2j4crxzK1; Mon, 20 Mar 2023 05:05:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1679313933; bh=s1hWCp+twHj83mBnPdZ5vLvPGRJn9KiGZ4e0SomGsNw=; h=Date:Subject:To:From:Content-Type:Content-Transfer-Encoding; b=ipQlP8C2wxDilABnpLfMgGE9yvoKcpEWqFxjyi9O5SlHc9JdSuS1ikrhxg1JA4LCa 0NtpGEv3bH6nLNGO5onAtvBvATx9qW+oWa7Nv/ixITWz3pmQjUnRTp2Lq4dq0UFcuz TQjRA9atw+Ueas9IBOfoaZI3/EEb1j2ptMChk4Du0AUTiLi7wc9I+Z7Tc9mwy7Cg7L 4NbTC20kObOSfULnoZBmTlHQk4BD99lhB7xiiT6+FZaZhJ6f3m6lXfSBMY9z3YhoSY osClS70LvrpaX+/CStXSFVJQhzFr7t5utV6UNuqp3z435tiYD6XYikWIMaJ3OzeRmC uUSKTDrV62WDQ== Message-ID: Date: Mon, 20 Mar 2023 08:05:32 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 Subject: Re: UB status of snprintf on invalid ptr+size combination? Content-Language: en-US To: Vincent Lefevre , libc-alpha@sourceware.org References: <9d7ca3d8-6998-e741-b669-03ef42bc99f1@gmail.com> <20230319230722.GD390223@zira.vinc17.org> From: Siddhesh Poyarekar In-Reply-To: <20230319230722.GD390223@zira.vinc17.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3030.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2023-03-19 19:07, Vincent Lefevre wrote: > On 2023-03-19 10:45:59 -0400, manfred via Libc-alpha wrote: >> All of that said, back to the OP case I would not pass INT_MAX to snprintf. >> If I have a situation wherein I know that the buffer is large enough, but I >> don't know its exact size, I'd use sprintf and be done with it. (I'm sure >> that the actual code is more elaborate than this, but still) > > In simple code, probably. But in actual code, it may be more natural > to use snprintf. Something like that: > > snprintf(buf, checked ? SIZE_MAX : n, "%s", s); > > The function may not know the buffer size if `checked` is true, > so that it uses a known bound. Thanks to common code factorized, > this is more readable than > > if (checked) > sprintf (buf, "%s", s); > else > snprintf(buf, n, "%s", s); > > in particular in the cases where the format string is complex. If your application requires such patterns then it really needs an additional layer of abstraction or maybe a rethink on the pattern itself. This is not something the C runtime should try to solve. I think on the glibc front it makes sense from a security perspective to interpret this through POSIX than the C standard. Even if the C standard is clarified to be contrary to POSIX and explicitly state that n is not the size of the buffer (which would be a terrible mistake IMO), I'd lean towards violating the C standard and conforming to POSIX instead. Sid