From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) by sourceware.org (Postfix) with ESMTPS id 52BF63858C5E for ; Mon, 20 Mar 2023 12:17:21 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 52BF63858C5E Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-wm1-x330.google.com with SMTP id p13-20020a05600c358d00b003ed346d4522so7372891wmq.2 for ; Mon, 20 Mar 2023 05:17:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1679314640; h=in-reply-to:from:references:to:content-language:subject:user-agent :mime-version:date:message-id:from:to:cc:subject:date:message-id :reply-to; bh=lKxkTWFaYM1qf5gtRh35uocgYFcsoSf6kk76ICR3JkQ=; b=NGwOUAKhK5SRdMOQr9zqnReZpS8NPiW/rk8yad0wg1xgRpp0/rJ09aGuRpw8BwPD7L DVmGVG9rY4F0+lnHO76cvOheWKBa0Wex/DCgvtr2HOPBxlGL4Po6c5MjPke6EMbbuSyO 564DyYnYwbLLqO6nr/WRET6KpXi3TBKgwhCLsLPCN52xkSMffljtZcdFfB6ijXuiwpT3 vKohRAulwfYu928v4dXTIEWgm0Qo6KsF5+CF/j7+pj2CeRwtamXzHc6kTRtWmumABChQ wUgW+JTKc28txZBcDL0J7ggU7BqK59Z50icijA0nYNNooshC1yGX5r+oFI3dWE/nRhU+ p29Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679314640; h=in-reply-to:from:references:to:content-language:subject:user-agent :mime-version:date:message-id:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=lKxkTWFaYM1qf5gtRh35uocgYFcsoSf6kk76ICR3JkQ=; b=v+SrabVZ6tQo5xCxuyhl4/H+2ChtInEweaKcMMFdKV4+Pw7ZRRPwPcmqHSu7J/y9A7 iGkLk2fAr2JXb2XbMPQL50Y81oGVawam0zrNyg97xqzYseaJul2IlLT1XXTOpiaGecWX +Hy87zjTgCuW8XCicqYWo46iP+IQ36LTHlEiiOpkBvKM05hZCow2KVWhe7unc2MrHMbY 5dHyZCwComvYFIYZyBIKUD6sPn0yZbGpf9GvU86LaUu6fGJc8W4KFDhCaw96XyJVRJXT aWZ8C9hyBEsM6/JZGPKhbhNxegU4/Q2BDJBDbMY4M/PFubNA7q9TryWxUda6Y5Rx5705 atbg== X-Gm-Message-State: AO0yUKUXoW8fjvpC3lEnwF0xSE68U/0GKvMVh0UccplU3wJbDtR3gRdB dnOXNlxt52hQ8/daM820R+8JvbvJG1U= X-Google-Smtp-Source: AK7set9fTWL3c5/hMuEWzREYlF9gPJdUx0crjDhcFQgSQv2yv/LsXXbTcBdew4suQbC5VhLGcJeOPw== X-Received: by 2002:a05:600c:4f4d:b0:3e2:19b0:887d with SMTP id m13-20020a05600c4f4d00b003e219b0887dmr36086082wmq.25.1679314639967; Mon, 20 Mar 2023 05:17:19 -0700 (PDT) Received: from [192.168.0.160] ([170.253.51.134]) by smtp.gmail.com with ESMTPSA id j19-20020a05600c191300b003eddc6aa5fasm4565931wmq.39.2023.03.20.05.17.19 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 20 Mar 2023 05:17:19 -0700 (PDT) Message-ID: Date: Mon, 20 Mar 2023 13:17:11 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 Subject: Re: UB status of snprintf on invalid ptr+size combination? Content-Language: en-US To: Siddhesh Poyarekar , Vincent Lefevre , libc-alpha@sourceware.org References: <9d7ca3d8-6998-e741-b669-03ef42bc99f1@gmail.com> <20230319230722.GD390223@zira.vinc17.org> From: Alejandro Colomar In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------9xwo0C0fRLucJfygTmV5Rpg3" X-Spam-Status: No, score=-4.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------9xwo0C0fRLucJfygTmV5Rpg3 Content-Type: multipart/mixed; boundary="------------nFIMYMEWQdPdomK0AKYBIF8d"; protected-headers="v1" From: Alejandro Colomar To: Siddhesh Poyarekar , Vincent Lefevre , libc-alpha@sourceware.org Message-ID: Subject: Re: UB status of snprintf on invalid ptr+size combination? References: <9d7ca3d8-6998-e741-b669-03ef42bc99f1@gmail.com> <20230319230722.GD390223@zira.vinc17.org> In-Reply-To: --------------nFIMYMEWQdPdomK0AKYBIF8d Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Vincent, Siddhesh, On 3/20/23 13:05, Siddhesh Poyarekar wrote: > On 2023-03-19 19:07, Vincent Lefevre wrote: >> On 2023-03-19 10:45:59 -0400, manfred via Libc-alpha wrote: >>> All of that said, back to the OP case I would not pass INT_MAX to snp= rintf. >>> If I have a situation wherein I know that the buffer is large enough,= but I >>> don't know its exact size, I'd use sprintf and be done with it. (I'm = sure >>> that the actual code is more elaborate than this, but still) >> >> In simple code, probably. But in actual code, it may be more natural >> to use snprintf. Something like that: >> >> snprintf(buf, checked ? SIZE_MAX : n, "%s", s); >> >> The function may not know the buffer size if `checked` is true, >> so that it uses a known bound. Thanks to common code factorized, >> this is more readable than >> >> if (checked) >> sprintf (buf, "%s", s); >> else >> snprintf(buf, n, "%s", s); >> >> in particular in the cases where the format string is complex. That pattern looks like _FORTIFY_SOURCE, doesn't it? If so, the correct action would be to call sprintf(3) and rely on the compiler to do the checks. snprintf(3) should be called when you can't guarantee at coding time if the array is possibly overrun. If you can guarantee that, then call sprintf(3), and the compiler will confirm. Cheers, Alex >=20 > If your application requires such patterns then it really needs an=20 > additional layer of abstraction or maybe a rethink on the pattern=20 > itself. This is not something the C runtime should try to solve. >=20 > I think on the glibc front it makes sense from a security perspective t= o=20 > interpret this through POSIX than the C standard. Even if the C=20 > standard is clarified to be contrary to POSIX and explicitly state that= =20 > n is not the size of the buffer (which would be a terrible mistake IMO)= ,=20 > I'd lean towards violating the C standard and conforming to POSIX inste= ad. >=20 > Sid --=20 GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5 --------------nFIMYMEWQdPdomK0AKYBIF8d-- --------------9xwo0C0fRLucJfygTmV5Rpg3 Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE6jqH8KTroDDkXfJAnowa+77/2zIFAmQYTscACgkQnowa+77/ 2zI0wQ//XPtbQp8+dcB2pBZCfO0QfCMDnHENP/N5/tPZ/S1b8gK1CBx3PqwvKsxj eWpKL/Hy3Bfs/AO2n6FR4gMi63c8hy1PqPJOGobemDWjCBBNkIW9HdsxPN+AQt5E tSRgmnWrKcuMxHUB/FMGcJbNwTFyhLu9Rm7+f8rE38NzbTAv5yd74QErKhVTK/b0 W+i+yr2hO79f2l/QFwJtbGa8kEHuyiH+WQXSr2RMsAQ4VMprKq1MGupM+3Y6w4+V fWzXN/NIfjiDyzQ8LhDKn/MZznGJHENobID7zRLIaDvvPR9vUURKhC5YoNfSfA9f 9bJ5FAUjRPKkAPOIlqZWVUHFhqXE6vZCTHT4iO/MznUccP9ge3s6P4XiS5iUi/f6 O2OVAzQDFVKu0zxYmbZdYiHUGt7ZLKlNwI3ACMtuSla2LNeDYpPgQY6f8ksECQ5/ BW1Rr5sQpGpoLdfgTww9v91T9iqGWMXa+3pAhZzmgpYMHBjNEUtgo4Jnlh+YnaZi T0B5q0Ku1o3Uy8wUfsFS9fTFNNdN5ypcGkQ4inlCXzjB7VjLrAFO2uQfH3822ZvW y0UeWdjEJPnUndkMpjjz84aOKhduZ7kq3RS3h1CXo2i5Mz1xKEYDlGxWbeMJTGZ3 bH6sgmCxVeGnbebxPTYcyWeuQmnjn9P3hQX93IJv+GBliz19FvY= =4sFZ -----END PGP SIGNATURE----- --------------9xwo0C0fRLucJfygTmV5Rpg3--