This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Implement strlcat [BZ#178]
- From: Paul Eggert <eggert at cs dot ucla dot edu>
- To: Florian Weimer <fweimer at redhat dot com>
- Cc: GNU C Library <libc-alpha at sourceware dot org>
- Date: Tue, 24 Nov 2015 12:36:34 -0800
- Subject: Re: [PATCH] Implement strlcat [BZ#178]
- Authentication-results: sourceware.org; auth=none
- References: <56547472 dot 3010302 at redhat dot com> <5654B1FE dot 5020100 at cs dot ucla dot edu> <5654B796 dot 7070302 at redhat dot com>
On 11/24/2015 11:16 AM, Florian Weimer wrote:
We don't do that for snprintf, which is very similar, and
we do not check most snprintf results in glibc.
That's a bad precedent and we should not make things worse by furthering
it. In the places where glibc calls snprintf without checking the return
value, snprintf never silently truncates its output, so the extra size
argument is merely making the code more confusing (and a bit slower) and
glibc should be calling sprintf instead.
The confusion in question doesn't merely affect the human reader. This
is an area where using snprintf makes glibc less reliable, assuming
reasonably modern security technology. If one of these unchecked
snprintf calls were buggy and actually did silently truncate its output,
the bug would be masked by glibc's current use of snprintf, whereas if
the code used sprintf with fortify checking the bug would be caught and
reported.
Thanks for the updated manual patch; I'll take a look at it.