safe version of sprintf

[Olaf]

Hi,

does exist a safe version/way of sprintf to prevent a buffer overflow by
using in this manner?

char* format = "0x%0.4X\n";
char buf[4];

sprintf(buf, format, number);

where the format can change at runtime? The buf size is fixed at compile
time.

In the example above the buffer is to small and it's written random in
memory.

Thanks
Olaf

 

[Malcolm McLean]

does exist a safe version/way of sprintf to prevent a buffer overflow by
using in this manner?

char* format = "0x%0.4X\n";
char buf[4];

sprintf(buf, format, number);

where the format can change at runtime? The buf size is fixed at compile
time.

In the example above the buffer is to small and it's written random in
memory.

snprintf().
sprintf() is hard to use safely if passed a %s parameter, or if the format
string is built dynamically.

 

[SM Ryan]

#
# > does exist a safe version/way of sprintf to prevent a buffer overflow by
# > using in this manner?
# >
# > char* format = "0x%0.4X\n";
# > char buf[4];
# >
# > sprintf(buf, format, number);
# >
# > where the format can change at runtime? The buf size is fixed at compile
# > time.
# >
# > In the example above the buffer is to small and it's written random in
# > memory.
# >
# snprintf().
# sprintf() is hard to use safely if passed a %s parameter, or if the format
# string is built dynamically.

You might also have asprintf where the library allocates the long
enough returned string itself.

 

[Keith Thompson]

does exist a safe version/way of sprintf to prevent a buffer overflow by
using in this manner?

char* format = "0x%0.4X\n";
char buf[4];

sprintf(buf, format, number);

where the format can change at runtime? The buf size is fixed at compile
time.

In the example above the buffer is to small and it's written random in
memory.

snprintf().
sprintf() is hard to use safely if passed a %s parameter, or if the
format string is built dynamically.

snprintf() was added in C99; your implementation might not support it,
and even if it does your code might then not be portable to other
implementations. (Note that the relevant part of the implementation
here is the library, not the compiler.)

But if you can count on snprintf being available on any
implementations you care about, it's definitely the right answer. And
there are open-source implementations out there, so you can probably
use it even where the vendor hasn't provided it.

 

[Flash Gordon]

Keith Thompson wrote, On 25/01/08 19:28:

does exist a safe version/way of sprintf to prevent a buffer overflow by
using in this manner?

char* format = "0x%0.4X\n";
char buf[4];

sprintf(buf, format, number);

where the format can change at runtime? The buf size is fixed at compile
time.

In the example above the buffer is to small and it's written random in
memory.

snprintf().
sprintf() is hard to use safely if passed a %s parameter, or if the
format string is built dynamically.

snprintf() was added in C99; your implementation might not support it,
and even if it does your code might then not be portable to other
implementations. (Note that the relevant part of the implementation
here is the library, not the compiler.)

But if you can count on snprintf being available on any
implementations you care about, it's definitely the right answer. And
there are open-source implementations out there, so you can probably
use it even where the vendor hasn't provided it.

You have to watch out because if I recall correctly at least one major
library that provides snprintf as an extension to C90 provides one that
is *not* the same as the C99 specification. I believe it is the return
value that is different.

 

[vippstar]

Keith Thompson wrote, On 25/01/08 19:28:

does exist a safe version/way of sprintf to prevent a buffer overflow by
using in this manner?
char* format = "0x%0.4X\n";
char buf[4];
sprintf(buf, format, number);
where the format can change at runtime? The buf size is fixed at compile
time.
In the example above the buffer is to small and it's written random in
memory.
snprintf().
sprintf() is hard to use safely if passed a %s parameter, or if the
format string is built dynamically.

snprintf() was added in C99; your implementation might not support it,
and even if it does your code might then not be portable to other
implementations. (Note that the relevant part of the implementation
here is the library, not the compiler.)

But if you can count on snprintf being available on any
implementations you care about, it's definitely the right answer. And
there are open-source implementations out there, so you can probably
use it even where the vendor hasn't provided it.

You have to watch out because if I recall correctly at least one major
library that provides snprintf as an extension to C90 provides one that
is *not* the same as the C99 specification. I believe it is the return
value that is different.

That would be the single unix spec v 2.

 

[Andrey Tarasevich]

...
does exist a safe version/way of sprintf to prevent a buffer overflow by
using in this manner?

char* format = "0x%0.4X\n";
char buf[4];

sprintf(buf, format, number);

where the format can change at runtime? The buf size is fixed at compile
time.
...

There are always at least two ways "to prevent a buffer overflow". One is the
make sure that your buffer is always big enough for the data you are trying to
write into it. Another is to truncate the data when it hits the limit of the
buffer. The first question you should be asking yourself is which one you really
need.

The latter prevention strategy is of very limited use since, even tough it does
prevent the overflow, it usually provides no useful result and no meaningful
continuation strategy. It is mostly useful in situations when you want to abort
your program anyway, but you'd prefer to exit more-or-less gracefully with your
own diagnostic message instead of the inelegant "segmentation fault, core dumped".

If that's not what you want to do (is it?), then you'd better off sticking with
the former strategy. Which brings the question of where is the requirement of
the buffer size being fixed at compile time comes from?

 

[Flash Gordon]

Keith Thompson wrote, On 25/01/08 19:28:

does exist a safe version/way of sprintf to prevent a buffer overflow by
using in this manner?
char* format = "0x%0.4X\n";
char buf[4];
sprintf(buf, format, number);
where the format can change at runtime? The buf size is fixed at compile
time.
In the example above the buffer is to small and it's written random in
memory.
snprintf().
sprintf() is hard to use safely if passed a %s parameter, or if the
format string is built dynamically.
snprintf() was added in C99; your implementation might not support it,
and even if it does your code might then not be portable to other
implementations. (Note that the relevant part of the implementation
here is the library, not the compiler.)
But if you can count on snprintf being available on any
implementations you care about, it's definitely the right answer. And
there are open-source implementations out there, so you can probably
use it even where the vendor hasn't provided it.

You have to watch out because if I recall correctly at least one major
library that provides snprintf as an extension to C90 provides one that
is *not* the same as the C99 specification. I believe it is the return
value that is different.

That would be the single unix spec v 2.

Concerning the return value of snprintf(), the SUSv2 and the C99 standard
contradict each other: when snprintf() is called with size=0 then SUSv2 stipulates an unspecified
return value less than 1, while C99 allows str to be NULL in this case, and gives the return value
(as always) as the number of characters that would have been written in case the output string
has been large enough.

OK, so that would make two major library vendors (counting Unix as 1,
when in reality there are multiple unix vendors), since I was not
thinking of Unix.