| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20120308074837.GE20784@elte.hu> Date: Thu, 8 Mar 2012 08:48:37 +0100 From: Ingo Molnar <mingo@...e.hu> To: Peter Seebach <peter.seebach@...driver.com> Cc: Arnaldo Carvalho de Melo <acme@...hat.com>, Anton Blanchard <anton@...ba.org>, paulus@...ba.org, peterz@...radead.org, dsahern@...il.com, fweisbec@...il.com, yanmin_zhang@...ux.intel.com, emunson@...bm.net, linux-kernel@...r.kernel.org Subject: Re: [PATCH] perf: Incorrect use of snprintf results in SEGV * Peter Seebach <peter.seebach@...driver.com> wrote: > On Wed, 7 Mar 2012 21:37:25 +0100 > Ingo Molnar <mingo@...e.hu> wrote: > > > You are missing two important aspects: > > > > 1) Dynamic reallocation on snprintf() failure is an utterly rare > > thing - it is used in less than 1% of snprintf() invocations. > > (Yes, I just checked a couple of codebases.) > > I would agree that it's very rare. But then, using the return > value at all isn't especially common in my experience -- the > only interesting part, most of the time, is "we're sure this > didn't overrun the buffer". Erm. Doing: += snprintf(...); is a *very* common pattern within the kernel. It occurs more than a thousand times - i.e. about 25% of all snprintf uses (~5000 instances) within the kernel does care about the return value. I found only a single case that did a reallocation if the buffer did not fit. Lets assume that I missed some and there's 4 altogether. I.e. the API usage proportion, within the kernel project, looks like this, approximately: snprintf() call site that: does not care about the return value: 75.0% uses the return value as a 'written' count: 24.9% wants to dynamically reallocate: 0.1% > > We *DONT* want to make APIs more fragile just to accomodate a > > rare, esoteric usecase! > > I would view snprintf as an API which already exists. Changing it is obviously not possible anymore. I was just countering your justification for it - which is still wrong. People might read that and use it to justify newly introduced, crappy APIs. The 0.1% usecase is absolutely not a valid excuse to make an API less robust - *especially* when a separate API could serve that 0.1% case just fine. When designing APIs it is of utmost importance how average developers intuitively *think* it works - not how the designer thinks it should work ... Any severe mismatch between the two is a serious design FAIL that should not be repeated in new code. Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists