This is the mail archive of the libc-alpha@sources.redhat.com mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [open-source] Re: Wish for 2002 ...

From: Alexandre Oliva <aoliva at redhat dot com>
To: Valentin Nechayev <netch at iv dot nn dot kiev dot ua>
Cc: Linus Torvalds <torvalds at transmeta dot com>, mouring at etoh dot eviladmin dot org, Markus Friedl <markus at openbsd dot org>, Paul Eggert <eggert at twinsun dot com>, leclerc at austin dot sns dot slb dot com, security-audit at ferret dot lmh dot ox dot ac dot uk, libc-alpha at sources dot redhat dot com, openssh at openbsd dot org
Date: 11 Jan 2002 23:05:47 -0200
Subject: Re: [open-source] Re: Wish for 2002 ...
Organization: GCC Team, Red Hat
References: <Pine.BSO.4.33.0201111306400.4650-100000@etoh.eviladmin.org><Pine.LNX.4.33.0201111121510.4042-100000@penguin.transmeta.com><20020112004546.A452@iv.nn.kiev.ua>

On Jan 11, 2002, Valentin Nechayev <netch@iv.nn.kiev.ua> wrote:

> requires programmer to keep real buffer size in sight.

That's the error in the approach.  As written before, the GNU project
recommends programs to avoid arbitrary limitations such as fixed-size
buffers.  So strlcat/cpy are contrary to the GNU way.

> Unless C were muted to support reliable strings, at least similar to
> C++ std::string class, programmers will use dangerous strcpy/strcat
> stuff and make errors in this use.

If that's what programmers will use, what's the point of adding
strlcpy/cat? :-P :-D

> that matters it helps against bugs

Against buffer overflow bugs, no more.  And it will help introduce
another class of bugs that fixed-size buffers will never be able to
overcome.

One approach I like very much is that of stralloc, that I first saw in
Amanda code.  Concatenating multiple strings into a newly-allocated
buffer created with the right size is as simple as stralloc(string1,
string2, ..., NULL);

It's an unfortunate thing that, if the NULL is left out, you'll not
get a hard error at compile time, and if the chunk of code isn't
exercised very often, you may end up with an exploitable run-time
crash.  I still find this better than being connected to
ahost.mysite.com instead of ahost.mysite.com.br just because the
implementor chose a 24-byte buffer and used strlcat to concat
"http://"; to the FQDN host name.

-- 
Alexandre Oliva   Enjoy Guarana', see http://www.ic.unicamp.br/~oliva/
Red Hat GCC Developer                  aoliva@{cygnus.com, redhat.com}
CS PhD student at IC-Unicamp        oliva@{lsd.ic.unicamp.br, gnu.org}
Free Software Evangelist    *Please* write to mailing lists, not to me

Follow-Ups:
- Re: [open-source] Re: Wish for 2002 ...
  - From: Martin v. Loewis

References:
- Re: [open-source] Re: Wish for 2002 ...
  - From: mouring
- Re: [open-source] Re: Wish for 2002 ...
  - From: Linus Torvalds
- Re: [open-source] Re: Wish for 2002 ...
  - From: Valentin Nechayev

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]