On Thu, Mar 12, 2020 at 03:43:42PM -0700, Darrick J. Wong wrote: > On Thu, Mar 12, 2020 at 03:27:01PM -0700, Dave Chinner wrote: > > > > I'm annoyed that every time a fundamental failing or technical debt > > is uncovered in the kernel, nobody takes responsibility to fix the > > problem completely, for everyone, for ever. > > > > As Thomas said recently: correctness first. > > > > https://lwn.net/ml/linux-kernel/87v9nc63io.fsf@xxxxxxxxxxxxxxxxxxxxxxx/ > > > > This is not "good enough" - get rid of snprintf() altogether. > > $ git grep snprintf | wc -l > 8534 > > That's somebody's 20 year project... :/ Or half an hour with sed. Indeed, not all of them are problematic: $ git grep "= snprintf" |wc -l 1744 $ git grep "return snprintf"|wc -l 1306 Less than half of them use the return value. Anything that calls snprintf() without checking the return value (just to prevent formatting overruning the buffer) can be converted by search and replace because the behaviour is the same for both functions in this case. Further, code written properly to catch a snprintf overrun will also correctly pick up scnprintf filling the buffer. However, code that overruns with snprintf()s return value is much more likely to work correctly with scnprintf as the calculated buffer length won't overrun into memory beyond the buffer. And that's likely all of the snprintf() calls dealt with in half an hour. Now snprintf can be removed. What's more scary is this: $ git grep "+= sprintf" |wc -l 1834 which is indicative of string formatting iterating over buffers with no protection against the formatting overwriting the end of the buffer. Those are much more dangerous (i.e. potential buffer overflows) than the snprintf problem being fixed here, and those will need to be checked and fixed manually to use scnprintf(). That's where the really nasty technical debt lies, not snprintf... Cheers, Dave. -- Dave Chinner david@xxxxxxxxxxxxx
