SEO
vBulletin Search Engine Optimization
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-18-2008, 07:39 AM
| ||||
| ||||
 Re: sprintf warning in libstdc++ > No need to go ballistic about my mail. I am not. > On Mon, Mar 14, 2005 at 02:10:05PM -0700, Theo de Raadt wrote: > >libc is now compiled to warn about such things. > > Yeah, I'm aware of that, I'm no newbie, but a software developer myself. > > >Yes, there is a library like that included in OpenBSD, used by a few > >rare applications here and there.. > > >You may have heard of sprintf being associated with buffer overflows > >over the last, oh, what, 10 or more years? > > And yeah, I have heard that. I'm fond of the ways OpenBSD uses to defend > against bugs like that, using multiple lines of defence (propolice, W^X > including a non-exec stack, randomized library load addresses, etc.), > and I'm very okay with this warning too (eliminated 2 sprintf > occurrences in own code too, they were non-critical, but easy to > replace, was things like char buf[4]; sprintf(buf, "%02x", ...), > replaced by the obvious snprintf(buf, sizeof(buf), "%02x", ...)). Then tell them to fix it. > So no need to defend against a non-existant criticism. Huh? > >In this case, it's not really our problem. Go do a ports tree compile. > > >Please alert the GNU people about this problem in their code. > > It's OpenBSD's copy of GNU code in this case (libstdc++ in OpenBSD's > source tree). I didn't refer to any ports. It is code that they have had 10 years to fix. Now go tell them. > >From now on, including OpenBSD 3.7, we will warn for such bad functions > >being called. > > Which is a good thing. So go tell them. > >But it is up to the individual outside-source groups to clean their own > >code up. > > >So mail them. > > I think this case is a bit difficult. As I wrote in my original mail, > there *is* a snprintf variant in that libstdc++ code. It's just the > "configuration" of libstdc++ which assumes (wrongly, of course) that > OpenBSD had no snprintf and falls back to sprintf. That's probably > because it links usage of snprintf and usage of other C99 stuff (if I > believe the name of the preprocessor define which is tested for). Huh? They are calling sprintf. I can gaurantee to you that it will be used incorrectly by some application. So go tell them. > If I had known an easy and clean way to fix it, I'd have suggested a > diff for > /usr/src/gnu/lib/libstdc++/libstdc++/config/locale/{gnu,generic}/c_locale.h Go tell THEM. It is not our code! > I'm leaving parts of the original mail intact so you can see the > important parts. Why does it matter? It is GNU code written by other people. If you see such warnings in non-OpenBSD code, GO TELL THOSE PEOPLE WHO RUN THE SHOW.      |
Linear Mode
