This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Implement C11 annex K?
- From: "David A. Wheeler" <dwheeler at dwheeler dot com>
- To: "eggert" <eggert at cs dot ucla dot edu>
- Cc: "libc-alpha" <libc-alpha at sourceware dot org>, "eagle" <eagle at eyrie dot org>
- Date: Fri, 15 Aug 2014 10:25:24 -0400 (EDT)
- Subject: Re: Implement C11 annex K?
- Authentication-results: sourceware.org; auth=none
- Reply-to: dwheeler at dwheeler dot com
On Wed, 13 Aug 2014 23:08:42 -0700, Paul Eggert <eggert@cs.ucla.edu> wrote:
> The following is certainly shorter and to my eyes considerably easier to
> follow, which appears to be the goal here (not efficiency, obviously, or
> we wouldn't be talking about strlcat).
>
> char *
> vector_join(const struct vector *vector, const char *sep)
> {
> char *string = xstrdup("");
> for (size_t i = 0; i < vector->count; i++) {
> char *t = xasprintf("%s%s%s", string, i ? sep : "",
> vector->strings[i]);
> free (string);
> string = t;
> }
> return string;
> }
But xasprintf dynamically allocates memory, and thus is not a substitute for bounds-checking
functions like strlcpy, strcpy_s, etc. E.G., if you are *handed* a block of memory to use (with its length),
or if dynamic allocation is forbidden, or if you're trying to change cost-effectively change
1 million lines of C code to reduce the risks of buffer overflow. Truncation is undesirable, but is a
WAY better result of usage mistakes compared to "1 million devices taken over by attackers" - the current model.
Please don't tell me "just recalculate the bounds correctly and constantly", because that's a
recipe for off-by-one errors. Don't tell me "write it perfectly", that's been failing for 4 decades+ now.
This discussion about the need for bounds-checking routines keeps coming up, over and over again,
because it's STILL a serious problem.
The discussion won't go away until the problem is fixed.
--- David A. Wheeler