Re: Unchecked sprintf/strcat?
On Wed, May 24, 2006 at 01:23:17PM +0000, Rocco Rutte wrote:
> * TAKAHASHI Tamotsu [06-05-24 20:12:28 +0900] wrote:
> >safe_* will abort() to dump core if overflowed.
>
> I think this is really bad for the "main" reason that the implementation
> of these "safe" functions cannot know how to deal with an error
> properly.
>
yes. that's why safe_* should be definitely used only for preventing
*internal* errors, like miscalculated or outdated buffer sizes.
> 1. Don't handle the errors in the wrapper functions but move it out
> to calling code as much as possible because only the caller can know
> what to do in case of an error. An a general abort() is just wrong.
>
yes, in any case when we are dealing with data of unknown length, it
should be explicitly checked and a "regular" message printed if it is
found to be too long.
sort of the only place where a check is not mandatory is displaying
something on the screen, even though even then one might want to show an
ellipsis or something.
--
Hi! I'm a .signature virus! Copy me into your ~/.signature, please!
--
Chaos, panic, and disorder - my work here is done.