[U-Boot] [PATCH 0/4] Buffer overruns in printf
Albert ARIBAUD
albert.u.boot at aribaud.net
Sun Sep 25 10:40:48 CEST 2011
Le 24/09/2011 16:00, Simon Glass a écrit :
>> So basically the choice is between:
>>
>> - adding code to the printf() family to try and fix an issue that it is
>> fundamentally unable to properly fix, and for which a solution exists, or
>>
>> - grepping and fixing calls to *sprintf() in U-Boot that do not respect the
>> known contraints of printf(), by resizing the buffer or calling *snprintf()
>> instead.
>>
>> I am definitely not in favor of the first option concerning U-Boot.
>
> Sounds fine to me. So I think we need the nprintf() variants in there,
> but the message is not to use them willy nilly. Going back to my patch
> series, 3/4 is ok, but 4/4 mostly crosses the line. Do I have that
> right?
It is the exact opposite for me : 3/4 makes all printf functions work
like some kind of *nprintf(), while 4/4 is about the network code
switching to *nprintf() for safety, so 3/4 would be nak and 4/4 ack as
far as I am concerned.
Basically, printf family functions which do not have the 'n' are *know*
by all -- experienced enough :) -- programmers to be *unsafe* (but to
require less from the caller) and it should remain so: no programmer
should ever encounter an implementation of printf that pretends to be
even somewhat safe, because it might bite him/her elsewhere, in another
project based on another C library where printf is just the beartrap it
usually is.
IOW, programmers already have assumptions about *printf(), including how
to deal with length limitations and what happens if you don't, and it is
best that these assumption remain true whatever project they work with.
> By the way, printf() ends up calling the same code, but without limit
> checking in place. The alternative is to duplicate all the format
> string processing code (a limit-checking version and an unchecked
> version) which would be worse.
I don't intend to dictate the way things can be implemented, so the
degree of code reuse is an open question as far as I am concerned. I am
only voicing my opinion that *printf() APIs and their contracts should
remain identical across all implementations of *printf(), and thus that
providing *nprintf() where they don't exist is commandable, but
hardening printf() is not, since you basically cannot do it without
somewhat departing from the de facto standard.
> Regards,
> Simon
Amicalement,
--
Albert.
More information about the U-Boot
mailing list