This is the mail archive of the
libc-alpha@sources.redhat.com
mailing list for the glibc project.
Re: [open-source] Re: Wish for 2002 ...
- From: Valentin Nechayev <netch at iv dot nn dot kiev dot ua>
- To: Linus Torvalds <torvalds at transmeta dot com>
- Cc: mouring at etoh dot eviladmin dot org, Markus Friedl <markus at openbsd dot org>, Paul Eggert <eggert at twinsun dot com>, leclerc at austin dot sns dot slb dot com, security-audit at ferret dot lmh dot ox dot ac dot uk, libc-alpha at sources dot redhat dot com, openssh at openbsd dot org
- Date: Sat, 12 Jan 2002 00:45:46 +0200
- Subject: Re: [open-source] Re: Wish for 2002 ...
- Organization: Dark side of coredump
- References: <Pine.BSO.4.33.0201111306400.4650-100000@etoh.eviladmin.org> <Pine.LNX.4.33.0201111121510.4042-100000@penguin.transmeta.com>
Fri, Jan 11, 2002 at 11:36:27, torvalds (Linus Torvalds) wrote about "Re: [open-source] Re: Wish for 2002 ...":
> static char *strdup2(const char *s1, const char *s2)
> {
> size_t l1 = strlen(s1);
> size_t l2 = strlen(s2);
> char * p = xmalloc(l1 + l2 + 1);
>
> memcpy(p, s1, l1);
> memcpy(p+l1, s2, l2);
> p[ l1 + l2 ] = 0;
> return p;
> }
Q.E.D.: no strcpy/strcat here.
> which is simple, portable, efficient, readable and secure. And notice how
> strlcat/strlcpy doesn't give you _any_ of those.
And if you want concatenate three, four or more strings,
you will produce another and another variants of strdup${n}()?
Or simply call asprintf() with loss in efficiency, but quire more
advantage in human readability?
This your `simple, portable, efficient, readable and secure' approach
has one but sometimes the most important quality: it is too limited
to one particular case.
> Then you just replace your current crap with
>
> p = strdup2(PROMPT, challenge);
>
> and get it all over with.
I'm really surprised why which little code piece was discussed as it were
be the top of programming art.;)) It can be even calculated why
Paul Eggert printed the same this piece: it is most ugly in the whole code,
and it is the code where strlcat() is used only for paranoia, not for
real need. Lots another places, where strlcat() is really needed for
security even in environment of a crowd of coders smoking dirty grass
from gas station, were (specially?) omitted. Correct discussion
isn't proceeded with such methods.
Nobody, I hope, declare strlc*() as panacaea. They are ugly and can
be considered only as temporary stopper for dam hole; but, even for this
they are better than strcpy/strcat: they provide local (for one function
call) security and requires programmer to keep real buffer size
in sight.
> I will claim that the easiest way to improve security and reliability has
> _nothing_ to do with stupid functions like strlcat, and _everything_ to do
> with
>
> - readable, understandable, straightforward
> - small, "obvious" functions that are clearly secure in themselves.
>
> Which are good things to have even if you don't work on security.
>
> So how about it? Create your own small "strdup2()" instead of pushing
> crap on others.
Your requirements shall never be fulfilled while the C language exists,
this greatest diversion in whole IT industry history. Unless C were muted to
support reliable strings, at least similar to C++ std::string class,
programmers will use dangerous strcpy/strcat stuff and make errors in this use.
strlcpy/strlcat weren't, AFAIS, designed for experienced programmers which
always imagine program with full clearance; there are too few such
programmers. These functions were designed to be used in *real* world
where most programmers can't think clean and reliable due to lack
of education, problems in family, too expensive life, or any another
reason. They want to use crutches, and librarian's task is to provide
the same crutches average programmer wants. No matters that strlcpy() is
twice less efficient, but that matters it helps against bugs. But this
simple truth is too hard to be understood by gods in programming.
* Their circle is too narrow, they are too far from people.
[ V. Lenin ]
/netch