<<< Date Index >>>     <<< Thread Index >>>

Re: Unchecked sprintf/strcat?



On Wed, May 24, 2006 at 01:23:17PM +0000, Rocco Rutte wrote:
> * TAKAHASHI Tamotsu [06-05-24 20:12:28 +0900] wrote:
> >safe_* will abort() to dump core if overflowed.
> 
> I think this is really bad for the "main" reason that the implementation 
> of these "safe" functions cannot know how to deal with an error 
> properly.
> 
yes. that's why safe_* should be definitely used only for preventing
*internal* errors, like miscalculated or outdated buffer sizes.

>   1. Don't handle the errors in the wrapper functions but move it out
>   to calling code as much as possible because only the caller can know
>   what to do in case of an error. An a general abort() is just wrong.
> 
yes, in any case when we are dealing with data of unknown length, it
should be explicitly checked and a "regular" message printed if it is
found to be too long.
sort of the only place where a check is not mandatory is displaying
something on the screen, even though even then one might want to show an
ellipsis or something.

-- 
Hi! I'm a .signature virus! Copy me into your ~/.signature, please!
--
Chaos, panic, and disorder - my work here is done.