[Bug c++/46513] Request: Warning for use of unsafe string handling functions
joseph at codesourcery dot com
gcc-bugzilla@gcc.gnu.org
Wed Nov 17 11:51:00 GMT 2010
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=46513
--- Comment #6 from joseph at codesourcery dot com <joseph at codesourcery dot com> 2010-11-17 11:50:16 UTC ---
On Wed, 17 Nov 2010, noloader at gmail dot com wrote:
> I stand corrected: C1X draft dated 2010-10-04 now includes the bounds checking
> interfaces. See "C1X Draft",
> http://www.open-std.org/Jtc1/sc22/wg14/www/docs/n1516.pdf at
> http://www.open-std.org/Jtc1/sc22/wg14/www/projects.
>
> So in addition to [nearly ubiquitous] support for strlcpy and friends, we will
> have strcpy_s and friends.
I can't imagine glibc will want to have that set of functions in libc - I
expect it will simply omit that optional set of interfaces and not define
__STDC_LIB_EXT1__. Maybe someone will write a glibc add-on putting them
in a separate library that a handful of people might then use.
*Some* of the functions there are useful, but the notion that tmpfile (for
example) has security issues requiring tmpfile_s is nonsense. And the
main utility of most of those functions is to retrofit security
improvements to old code without understanding it. glibc has its own
means for such retrofitting (in particular _FORTIFY_SOURCE). In both
cases they are really a matter of reducing the risk from certain kinds of
bugs rather than fixing them; to fix them, you need actually to understand
the code and determine when you should avoid arbitrary limits and allocate
as much memory as needed (taking care about overflow when calculating
allocation sizes) and when you should impose limits and how you should
handle overflow of them (quietly truncating is not generally a good
approach); safer interfaces and _FORTIFY_SOURCE should then be used *on
top of* proper design and calculation of allocations, to reduce the risk
of any remaining bugs, rather than as a substitute for avoiding the
possibility of overflow or truncation in the first place.
If you wish to enforce a coding standard disallowing certain functions in
a particular code base, you are free to use existing GCC features such as
"#pragma GCC poison" and the "deprecated" attribute. That seems better to
me than GCC embedding particular assumptions about a particular set of
functions, when everyone will have their own preferences about what
functions should be used and whether functions are safe in a given code
base depends on how it uses them.
More information about the Gcc-bugs
mailing list