From 36c70760a0bf01860eb1fc3c174bd5647d9b83fa Mon Sep 17 00:00:00 2001 From: Jonas 'Sortie' Termansen Date: Wed, 24 Sep 2014 16:04:01 +0200 Subject: [PATCH] Warn on sprintf use. --- doc/obsolete-stuff | 12 ++++++++++++ libc/include/stdio.h | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/doc/obsolete-stuff b/doc/obsolete-stuff index 0c04e74c..37661a6c 100644 --- a/doc/obsolete-stuff +++ b/doc/obsolete-stuff @@ -218,6 +218,18 @@ particular problem. Sortix currently provides this function for compatibility reasons. +sprintf +------- + +The sprintf function is dangerous as it can be hard to predict the length of the +output string safely. A mistake can easily end in security vulnerabilities and +undefined behavior. Use the snprintf function instead as it knows the size of +the destination buffer and safely truncates in the error case. Such truncation +can be detected by the cacller. Use the asprintf function or another approach +if determinining the output length is hard. + +Sortix currently provides this function for compatibility reasons. + strings.h --------- diff --git a/libc/include/stdio.h b/libc/include/stdio.h index 107d67cf..fa2d404e 100644 --- a/libc/include/stdio.h +++ b/libc/include/stdio.h @@ -166,6 +166,9 @@ int rename(const char* oldname, const char* newname); void rewind(FILE* stream); void setbuf(FILE* __restrict stream, char* __restrict buf); int setvbuf(FILE* __restrict stream, char* __restrict buf, int type, size_t size); +#if !defined(__is_sortix_libc) /* not a warning inside libc */ +__attribute__((__warning__("sprintf() is dangerous, use snprintf()"))) +#endif int sprintf(char* __restrict s, const char* __restrict format, ...) __attribute__((__format__ (printf, 2, 3))); int scanf(const char* __restrict format, ...) @@ -178,6 +181,9 @@ int vfprintf(FILE* __restrict stream, const char* __restrict format, __gnuc_va_l __attribute__((__format__ (printf, 2, 0))); int vprintf(const char* __restrict format, __gnuc_va_list ap) __attribute__((__format__ (printf, 1, 0))); +#if !defined(__is_sortix_libc) /* not a warning inside libc */ +__attribute__((__warning__("vsprintf() is dangerous, use vsnprintf()"))) +#endif int vsprintf(char* __restrict s, const char* __restrict format, __gnuc_va_list ap) __attribute__((__format__ (printf, 2, 0)));