public inbox for libc-alpha@sourceware.org
 help / color / mirror / Atom feed
From: Alejandro Colomar <alx.manpages@gmail.com>
To: Siddhesh Poyarekar <siddhesh@gotplt.org>,
	Vincent Lefevre <vincent@vinc17.net>,
	libc-alpha@sourceware.org
Subject: Re: UB status of snprintf on invalid ptr+size combination?
Date: Mon, 20 Mar 2023 13:17:11 +0100	[thread overview]
Message-ID: <f2da3fc3-62f5-a86a-0429-d0a88f251044@gmail.com> (raw)
In-Reply-To: <cb1d1ef7-5985-fdf1-fa1e-805da1eae294@gotplt.org>


[-- Attachment #1.1: Type: text/plain, Size: 2090 bytes --]

Hi Vincent, Siddhesh,

On 3/20/23 13:05, Siddhesh Poyarekar wrote:
> On 2023-03-19 19:07, Vincent Lefevre wrote:
>> On 2023-03-19 10:45:59 -0400, manfred via Libc-alpha wrote:
>>> All of that said, back to the OP case I would not pass INT_MAX to snprintf.
>>> If I have a situation wherein I know that the buffer is large enough, but I
>>> don't know its exact size, I'd use sprintf and be done with it. (I'm sure
>>> that the actual code is more elaborate than this, but still)
>>
>> In simple code, probably. But in actual code, it may be more natural
>> to use snprintf. Something like that:
>>
>>    snprintf(buf, checked ? SIZE_MAX : n, "%s", s);
>>
>> The function may not know the buffer size if `checked` is true,
>> so that it uses a known bound. Thanks to common code factorized,
>> this is more readable than
>>
>>    if (checked)
>>      sprintf (buf, "%s", s);
>>    else
>>      snprintf(buf, n, "%s", s);
>>
>> in particular in the cases where the format string is complex.

That pattern looks like _FORTIFY_SOURCE, doesn't it?  If so, the correct
action would be to call sprintf(3) and rely on the compiler to do the
checks.

snprintf(3) should be called when you can't guarantee at coding time
if the array is possibly overrun.  If you can guarantee that, then call
sprintf(3), and the compiler will confirm.

Cheers,
Alex

> 
> If your application requires such patterns then it really needs an 
> additional layer of abstraction or maybe a rethink on the pattern 
> itself.  This is not something the C runtime should try to solve.
> 
> I think on the glibc front it makes sense from a security perspective to 
> interpret this through POSIX than the C standard.  Even if the C 
> standard is clarified to be contrary to POSIX and explicitly state that 
> n is not the size of the buffer (which would be a terrible mistake IMO), 
> I'd lean towards violating the C standard and conforming to POSIX instead.
> 
> Sid

-- 
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

  reply	other threads:[~2023-03-20 12:17 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-14 19:47 Simon Chopin
2023-03-14 21:39 ` Paul Eggert
2023-03-15  9:22   ` Andreas Schwab
2023-03-15 15:54     ` Siddhesh Poyarekar
2023-03-15 18:34     ` Michael Hudson-Doyle
2023-03-19 14:45     ` manfred
2023-03-19 23:07       ` Vincent Lefevre
2023-03-20 12:05         ` Siddhesh Poyarekar
2023-03-20 12:17           ` Alejandro Colomar [this message]
2023-03-20 12:29             ` Siddhesh Poyarekar
2023-03-20 13:36             ` Vincent Lefevre
2023-03-20 13:50           ` Vincent Lefevre
2023-03-20 16:56             ` Siddhesh Poyarekar
2023-03-20 17:36               ` Vincent Lefevre
2023-03-20 15:09       ` Vincent Lefevre
2023-03-20 16:15         ` Alejandro Colomar
2023-03-20 16:33           ` Vincent Lefevre
2023-03-20 17:00           ` Vincent Lefevre
2023-03-20 17:31             ` Siddhesh Poyarekar
2023-03-20 17:45               ` Vincent Lefevre
2023-03-15 12:39   ` Vincent Lefevre
2023-03-16 10:29     ` Stephan Bergmann
2023-03-18  2:07       ` Vincent Lefevre
2023-03-18  2:30         ` Alejandro Colomar
2023-03-18 10:58           ` Vincent Lefevre
2023-03-18 15:01             ` Andreas Schwab
2023-03-19 22:48               ` Vincent Lefevre
2023-03-19 23:24                 ` Andreas Schwab
2023-03-20  4:10                   ` Vincent Lefevre
2023-03-20  9:19                     ` Andreas Schwab
2023-03-20 10:42                       ` Vincent Lefevre
2023-03-20 10:44                         ` Andreas Schwab

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f2da3fc3-62f5-a86a-0429-d0a88f251044@gmail.com \
    --to=alx.manpages@gmail.com \
    --cc=libc-alpha@sourceware.org \
    --cc=siddhesh@gotplt.org \
    --cc=vincent@vinc17.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).