Re: [PATCH 1/1] lib/vsprintf: Implement ssprintf() to catch truncated strings

Tue, 30 Jan 2024 07:07:43 -0800 

On Mon, 29 Jan 2024, Lee Jones wrote:

> On Mon, 29 Jan 2024, David Laight wrote:
> 
> > ...
> > > > I'm sure that the safest return for 'truncated' is the buffer length.
> > > > The a series of statements like:
> > > >         buf += xxx(buf, buf_end - buf, .....);
> > > > can all be called with a single overflow check at the end.
> > > >
> > > > Forget the check, and the length just contains a trailing '\0'
> > > > which might cause confusion but isn't going to immediately
> > > > break the world.
> > > 
> > > snprintf() does this and has been proven to cause buffer-overflows.
> > > There have been multiple articles authored describing why using
> > > snprintf() is not generally a good idea for the masses including the 2
> > > linked in the commit message:
> > 
> > snprintf() returns the number of bytes that would have been output [1].
> > I'm not suggesting that, or not terminating the buffer.
> > Just returning the length including the '\0' (unless length was zero).
> > This still lets the code check for overflow but isn't going to
> > generate a pointer outside the buffer if used to update a pointer.
> 
> I see.  Well I'm not married to my solution.  However, I am convinced
> that the 2 solutions currently offered can be improved upon.  If you or
> anyone else has a better solution, I'd be more than happy to implement
> and switch to it.
> 
> Let me have a think about the solution you suggest and get back to you.

Okay, I've written a bunch of simple test cases and results are
positive.  It seems to achieve my aim whilst minimising any potential
pitfalls.

 - Success returns Bytes actually written - no functional change
 - Overflow returns the size of the buffer - which makes the result
   a) testable for overflow
   b) non-catastrophic if accidentally used to manipulate later sizes

    int size = 10;
    char buf[size];
    char *b = buf;

    ret = spprintf(b, size, "1234");
    size -= ret;
    b += ret;
    // ret = 4  size = 6  buf = "1234\0"

    ret = spprintf(b, size, "5678");
    size -= ret;
    b += ret;
    // ret = 4  size = 2  buf = "12345678\0"

    ret = spprintf(b, size, "9***");
    size -= ret;
    b += ret;
    // ret = 2  size = 0  buf = "123456789\0"

Since size is now 0, further calls result in no changes of state.

    ret = spprintf(b, size, "----");
    size -= ret;
    b += ret;
    // ret = 0  size = 0  buf = "123456789\0"

I'll knock this up and submit a patch.

-- 
Lee Jones [李琼斯]

Reply via email to