On 3/13/06, Richard Levitte - VMS Whacker <[EMAIL PROTECTED]> wrote: > > My stand on this is that it's good that BIO_printf and friends works > in compatible ways with printf, AND it is a good thing to make use of > good extensions that are available elsewhere even if they aren't part > of a formal standard. > > So, the real question is, do we have any use for the z modifier? That > is the question that should be discussed, not if z is formalised or > not.
There is a need for the z modifier. The problem is only in how it's used. (I haven't looked at the BIO_printf code to see the full implementation.) However, size_t is the type of numbers returned by system calls, and since we're making use of those numbers, we need to be using the correct type. (There is no cross-platform automatic conversion, in C++ terms, of size_t to whatever is expected by any program that uses it, so whatever uses it should use size_t to be portable.) > > In my opinion we do need z, since size_t isn't always unsigned (with > Visual C 6, for example), and that some compilers pester us with > warnings if a size_t is used with a %lu specifier and even break > builds (with Visual C, for instance, last time I battled with this). I am in complete agreement, for the reasons stated above. (Even though they're probably not written such that most or even any people can understand them -- including myself a week from now. ;) ) The gist is, we use function calls that return size_t. We can't assume that size_t is of any particular type or size, and we can't assume that it will have an automatic conversion available to whatever we use it with. This is especially security-relevant to any kind of printf, whether system call or BIO_ call, since printf relies on sizes of parameters on the stack being precisely correct. So, the proper implementation is one that takes the possibility of a different-size size_t into account. The patch proposed does that, and (to my eye) appears to be compatible with both *NIX and Windows -- as well as (from Mr. Levitte's later statements) apparently having been developed and tested on Windows. Cheers, -Kyle H ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
