From owner-freebsd-arch@FreeBSD.ORG Tue Dec 13 12:41:40 2005 Return-Path: X-Original-To: freebsd-arch@FreeBSD.org Delivered-To: freebsd-arch@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB41E16A420 for ; Tue, 13 Dec 2005 12:41:40 +0000 (GMT) (envelope-from bde@zeta.org.au) Received: from mailout2.pacific.net.au (mailout2.pacific.net.au [61.8.0.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id F067343D6A for ; Tue, 13 Dec 2005 12:41:38 +0000 (GMT) (envelope-from bde@zeta.org.au) Received: from mailproxy2.pacific.net.au (mailproxy2.pacific.net.au [61.8.0.87]) by mailout2.pacific.net.au (8.13.4/8.13.4/Debian-3) with ESMTP id jBDCfbfq004209; Tue, 13 Dec 2005 23:41:37 +1100 Received: from epsplex.bde.org (katana.zip.com.au [61.8.7.246]) by mailproxy2.pacific.net.au (8.13.4/8.13.4/Debian-3) with ESMTP id jBDCfYDv005650; Tue, 13 Dec 2005 23:41:35 +1100 Date: Tue, 13 Dec 2005 23:41:34 +1100 (EST) From: Bruce Evans X-X-Sender: bde@epsplex.bde.org To: Poul-Henning Kamp In-Reply-To: <9880.1134463229@critter.freebsd.dk> Message-ID: <20051213230723.T3248@epsplex.bde.org> References: <9880.1134463229@critter.freebsd.dk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Max Laier , freebsd-arch@FreeBSD.org Subject: Re: printf behaviour with illegal or malformed format string X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Dec 2005 12:41:40 -0000 On Tue, 13 Dec 2005, Poul-Henning Kamp wrote: > In message <20051213175413.H80942@delplex.bde.org>, Bruce Evans writes: > >> There is also fmtcheck(3). > > I didn't even know about that one, but given that there is only two > uses in all of /src I do not feel ashamed. I learned about it commit mail (or arch?) when Kris was sweeping for security holes related to printf formats. >> Extensions should rarely be needed for printf(), > > Actually I disagree with you on that. > > It was my list of "things I keep doing over and over" that convinced > me otherwise. Now I think they should be very rarely needed and more rarely used. Using them mainly gives unportable code that breaks especially badly on systems which don't support extensions. > Here are some of the formats I miss, and which I will probably write > extensions for so people can trivially enable them: > > %T print a time_t > %lT print a struct timeval > %llT print a struct timespec > %I print an IP# > %lI print an IPv6# > %H Hexdump > %V stringvis a string > %M Metric (like the "engineering" format on HP calculators) > %H "Human" (Tera,Giga,Mega,Kilo{bits,bytes}) I think these belong in specialized applications or libraries. %T is already handled better by strftime/gmtime/localtime. It has lots of subformats and delicate conversion issues. A generic %T couldn't reasonably support much more than "%[#0- +,]*.*T". If a generic version were implemented as a function in libc, then printf("%T", asprintf_time_t(tt)) wouldn't be much harder to write than printf("%T", tt), but storage management for it would be harder. Maybe you really want to write cout << tt :-). >>>> I'm leaning towards doing what phkmalloc has migrated to over time: >>>> Make a variable which can select between "normal/paranoia" and force >>>> it to paranoia for (uid==0 || gid==0 || setuid || setgid). >>>> >>>> If the variable is set, a bogus format string will result in abort(2). >> >> This sometimes breaks defined behaviour. > > It does ? I didn't think there were defined behaviour for bogus > format strings ? I mean aborting instead of returning NULL for failing malloc()s breaks defined behaviour. Bruce