| Age | Commit message (Collapse) | Author |
|---|
|
|
|
Largely considered attack surface nowadays. The benefit provided by %n
is completely overshadowed by the risk.
New uses of %n don't seem to be entering the C ecosystem, as static
tools flag them. And everyone points fingers at those people....
The list of programs (and libraries) which use %n is therefore finite
and shrinking. Most of the %n use comes out of the GNU ecosystem.
jca@ has convinced gnulib to fix their code (so we need to wait for
software including gnulib to make new releases).
A few libraries have moved ahead of us and become more strict. Some n
longer permit %n (for instance, andriod bionic). Others log the occurance.
Some log and abort if the output location is W|X (MacOS).
Our base tree is clean. The ports tree contains a handful during
build time, and unknown count (more) during runtime.
We would like to abort programs on any occurance of %n. Or we could
be like MacOS, aborting for W|X pages (but would need a system call
which can check that condition, and that introduces addressspace
knowledge we don't want attackers to know, and may be a poor tradeoff).
For now, we can syslog, to increase awareness, and involve more people
in the greater community to remove %n uses.
[If %n is at the end, use the *printf return value. If it occurs in
the middle, split the printf calls into multiples]
Hopefully one day, we can just abort() when %n happens. Help us get
there?
ok jca, plus naddy for ports team
|
|
|
|
OK deraadt@
|
|
OK deraadt@ martijn@
|
|
OK martijn@ mpi@
|
|
list of "[size]n" includes "n" on it's own, thereby the "int" case is
described correctly.
ok schwarze
|
|
to properly show the (differing) syntaxes of all the conversion
specifications, and reduce the amount of forward references from
the list of modifiers to the list of specifiers.
While here, properly explain %lc and %ls.
Also correct RETURN VALUES, which incorrectly talked about
counting characters while actually bytes are counted.
Using feedback from millert@, deraadt@, tb@, and Martin Vahlensieck.
OK deraadt@, millert@, and tb@ on intermediate versions of this diff
and no objections from jmc@.
|
|
1. Clarify that %G uses %F, not %f; noticed by millert@.
2. Mention that %g originally meant "general notation", see:
https://minnie.tuhs.org/cgi-bin/utree.pl?file=V7/usr/src/libc/stdio/doprnt.s
Triggered by a somewhat different patch from Ian <ropers at gmail dot com>.
Feedback and OK millert@ and jmc@.
|
|
ok guenther@ and deraadt
|
|
a few cases that weren't altogether straightforward;
tweak and OK jmc@, OK sobrado@
|
|
|
|
|
|
|
|
and that the ret pointer is either unchanged or set to NULL
in this case.
Since these two functions are not standardized by POSIX,
documenting the actual behaviour is the way to go, and the
above matches all non-buggy implementations we are aware of.
OK millert@ deraadt@
|
|
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
of the return values to RETURN VALUES, deprecate [v]sprintf(3)
and fix a punctuation typo.
Joint work with and OK millert@.
|
|
|
|
failure is with < 0, not the more specific -1 from C
discussed at length with millert, nicm, schwarze
|
|
i.e. those other than LC_CTYPE, into the CAVEATS section, and
standardize wording somewhat.
OK jmc@
|
|
value is given for the off. found by nagasaka at IIJ.
ok deraadt
|
|
Doing the fchown call causes pledge("tmppath") to be insufficient and the
the umask dance may cause race-conditions in multithreaded applications.
Also POSIX states the following nowadays:
implementations may restrict the permissions, either by clearing the file
mode bits or setting them to the value S_IRUSR | S_IWUSR.
Encouraging words from tedu@
Standards verification and OK millert@
|
|
fflush() as the variable is stack based (no possible concurrent access).
call directly __sflush()
ok visa@ deraadt@
|
|
|
|
CAVEATS pointing to the new CAVEATS section in setlocale(3).
Make those in wprintf(3) and wscanf(3) more concise
since duplicate information is a bad idea.
Incompleteness of information originally pointed out by millert@.
OK millert@
|
|
to wprintf(3) with OK cheloha@ tedu@; also triggered by a
smaller diff from Jan Stary <hans at stare dot cz>.
|
|
and explain best practice for portable programs below CAVEATS.
Triggered by a smaller diff from Jan Stary <hans at stare dot cz>.
Emphatic OKs from cheloha@ and tedu@.
|
|
be reset before each call to __srefill(). Passes new regress.
OK semarie@
|
|
databases/tdb from ports.
|
|
passed to fread(3) directly in the FILE * and call __srefill() in
a loop without the memcpy(). This preserves the expected behavior
in all cases. OK semarie@, "This is neat" tedu@
|
|
EOF or error. This caused a regression in the cPickle python extension.
|
|
|
|
failure. This change brings fwscanf(3) back in line with fscanf(3).
From FreeBSD; ok deraadt@, millert@
|
|
string-handling <stdio.h> functions, like we already do it for <string.h>.
Includes a smaller patch from <kshe59 at zoho dot eu>, OK jmc@.
|
|
while here, consistently use .Fo to cure execessive line lengths
|
|
with "warning: " since 2003, so the messages themselves need not
contain the prefix anymore.
From Scott Cheloha
ok jca, deraadt
|
|
using mbrtowc(3). Thus, we now treat the format string as a bytestring,
not as a multibyte character string.
We think that ANSI C made a small error when adding wide characters:
The committees essentially replaced "characters" with "wide characters"
in the existing printf documentation, which was written before the
concept of processing was established. Doing processing on the format
string would break some 8-bit format strings in the wild, and that
isn't something these committees gave themselves license to do.
Based on the "10x printf speedup" commit from android found by tedu:
https://github.com/aosp-mirror/platform_bionic/commit/5305a4d4a723b06494b93f2df81733b83a0c46d3
Thanks to millert and schwarze for digging into the history and
testing *printf behavior on other platforms.
ok deraadt, millert
|
|
changes by schwarze to vfprintf.c r1.71. Cherrypicked from android:
https://github.com/aosp-mirror/platform_bionic/commit/5305a4d4a723b06494b93f2df81733b83a0c46d3
ok millert
|
|
|
|
|
|
ok schwarze@
|
|
2. point to getline (suggested by nicm@)
3. cross reference fgetc(3) rather than putc(3)
4. add missing error handling to the example code
OK nicm@
|
|
|
|
inspired by a similar change to fgetln.
ok deraadt millert
|
|
the string buffer used by asprintf() and vasprintf(). OK deraadt@
|
|
buffers. We don't bother doing this for objects containing pointers,
but focus on controllable data.
ok millert
|
|
we expanded the buffer to a single page. The final realloc() can
be expensive for large buffers and is not realled needed. OK deraadt@
|
|
nearest page instead of doubling the old size until it is large
enough. OK deraadt@
|
|
|
|
|
