On 1999-Nov-24 15:33:14 +1100, Brian Fundakowski Feldman wrote:
>I'd like to note something. Strcat isn't necessarily unsafe, and strncat()
>isn't necessarily safe.
I wasn't implying that. In fact, I believe the semantics of strncat()
put it into the `hard to use correctly' category (or maybe `very likely
to be misused').
> if (fscanf(file, "%d:foo:%.*s", &smurf, sizeof(something),
> something) /* This is safe, of course. */
Beep. You lose. "%.*s" doesn't exist in *scanf() [I thought it did,
but it's not mentioned in either scanf(3) or the source]. You have
to specify field widths as literals (which makes this sort of code
a real PITA).
>#define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0
> char action2[32], proto[47], name[18], fragment[17];
> /* Print command name */
> snprintf(SNPARGS(name, 0), "ipfw: %d", f ? f->fw_number : -1);
>
>Despite the fact that the buffer name[] was made to be exactly the
>largest size, where sprintf() _would_be_safe_,
Not necessarily true. Consider a system where sizeof(int)==8 (such C
compilers exist today). In this case "%d" can take 20 characters, but
the code above code assumes an int can always be printed in 11
characters.
> Don't get caught doing this.
>If you find a strcat() (for example), see if it's safe. If it is,
>then why replace it?
Confirming that it is safe (checking all the paths by which the
strcat() can be reached) might take substantial effort (if the buffers
and/or range checks are widely separated from the strcat() call.
In addition, someone might add a new path to the strcat(), or might
change a buffer size, without properly checking all the ramifications.
I tend towards the approach that unless it's immediately obvious that
it's safe, you are better off using strlcat() (or maybe strncat()).
Peter
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
