nmh-workers
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nmh-workers] strncpy(3), die, die, die.


From: Ralph Corderoy
Subject: Re: [Nmh-workers] strncpy(3), die, die, die.
Date: Mon, 24 Oct 2016 22:10:46 +0100

Hi Todd,

> Paul Vixie wrote:
> > Copy or die, as the default behavior.

malloc!  Or death!

> Both snprintf() and strlcpy() make it fairly easy to detect whe the
> buffer was too small, which is more than I can say for strncpy().  It
> is up to the programmer to actually check the return value.

And there's the nub.  It can be done with strncpy too;  check
strnlen(3)'s result afterwards.  But the existing code does not check,
and I'm not aiming to rewrite the code so I don't think the check should
be added at the call-site.  That also knocks out Paul's `copy' option
above since if a local char[] is being used as the destination then I'm
intending it remains that.

I'm not arguing this shouldn't change in the future, but my aim is to do
lots of small localised, readily verifiable by inspection, "fixes".
That might be removing reundancy from the source, not just to remove the
chance of error, but to save every read of it having to verify
consistency.  Or it may be, like here, to improve the run-time behaviour
a bit.  Better the truncation isn't silent.

> That said, I certainly agree that proceeding with a truncated buffer
> is the wrong thing to do.  Many (but not all) systems these days
> provide asprintf() which dynamically allocates its buffer which can
> solve a lot of these problems.

Yes, asprintf(3) is very handy.  Unfortunately, it's not standardised; C
nor POSIX.  And rolling your own version around vsnprintf(3) can mean
doing the formatting twice;  the first time to get the length.  You've
then a malloc'd pointer to track.  So it's a more of a change than I
want to tackle now.  This is the kind of thing I've been doing.
http://git.savannah.gnu.org/cgit/nmh.git/commit/?id=9b3fc4790b2473b23c69c0e70710e1e66a038f28&context=1

So I'm really after moving some of the strncmp()s into the "really wants
to copy the string whole, without any padding, and doesn't intend to
truncate" camp by using a new routine for those thus identified.

-- 
Cheers, Ralph.
https://plus.google.com/+RalphCorderoy



reply via email to

[Prev in Thread] Current Thread [Next in Thread]