On Wed, 24 Nov 1999, Peter Jeremy wrote:
> On 1999-Nov-24 15:33:14 +1100, Brian Fundakowski Feldman wrote:
> >I'd like to note something. Strcat isn't necessarily unsafe, and strncat()
> >isn't necessarily safe.
>
> I wasn't implying that. In fact, I believe the semantics of strncat()
> put it into the `hard to use correctly' category (or maybe `very likely
> to be misused').
It seemed like you were pointing out that these were inherently mistakes.
>
> > if (fscanf(file, "%d:foo:%.*s", &smurf, sizeof(something),
> > something) /* This is safe, of course. */
> Beep. You lose. "%.*s" doesn't exist in *scanf() [I thought it did,
> but it's not mentioned in either scanf(3) or the source]. You have
> to specify field widths as literals (which makes this sort of code
> a real PITA).
Ah, well, I've never actually tried it. I've used non-'*' lengths;
the example still holds as long as you use fscanf() correctly and
specify the size as a number inside the fmt (which I didn't, of course :)
>
> >#define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0
> > char action2[32], proto[47], name[18], fragment[17];
> > /* Print command name */
> > snprintf(SNPARGS(name, 0), "ipfw: %d", f ? f->fw_number : -1);
> >
> >Despite the fact that the buffer name[] was made to be exactly the
> >largest size, where sprintf() _would_be_safe_,
>
> Not necessarily true. Consider a system where sizeof(int)==8 (such C
> compilers exist today). In this case "%d" can take 20 characters, but
> the code above code assumes an int can always be printed in 11
> characters.
Our code doesn't run an a system _anything_ like that. In fact, I
can't even think of compilers with 8 * NBBY ints. GCC is one of those
that can be coerced into long being a software, 64-bit type.
>
> > Don't get caught doing this.
> >If you find a strcat() (for example), see if it's safe. If it is,
> >then why replace it?
>
> Confirming that it is safe (checking all the paths by which the
> strcat() can be reached) might take substantial effort (if the buffers
> and/or range checks are widely separated from the strcat() call.
>
> In addition, someone might add a new path to the strcat(), or might
> change a buffer size, without properly checking all the ramifications.
>
> I tend towards the approach that unless it's immediately obvious that
> it's safe, you are better off using strlcat() (or maybe strncat()).
You shouldn't be using static buffers in the first place, so str*cat()
should never be used.
>
> Peter
>
--
Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! /
[EMAIL PROTECTED] `------------------------------'
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
