Paul Vixie <paul(_at_)redbarn(_dot_)org> wrote:
|Ralph Corderoy wrote:
|> Perhaps a complainant could be told of the secret $NMHNOBARF to stop
|> TRUNCCPY from aborting? Though it would still complain for the first N
|> goes?
|
|i think the moment that the state of the program becomes undefined, you
|should abort.
|
|malloc and asprintf helpfully return a useless value (NULL) if they
|can't fit your result into a new heap blob.
|
|snprintf, strncpy, and strlcpy do not.
I disagree, for the former and the latter.
|the right thing to create on overflow is an empty string. if the caller
|doesn't check the return value, they're going to wonder where that empty
|string came from. this would teach callers to check return values.
|
|returning the front half of the source string is bad. and while
|returning it non-\0-terminated is worse, neither is acceptable.
But in effect i think it was always an error to do such
programming, because in multibyte environments truncating a string
isn't at all easy.
I think the former and latter of the above have the problem that
they return useless information: the size that would be necessary
to store the result in a non-truncated form. If that information
would be collected regulary using the above functions i would
think that this is really wasteful software that gives a s..t on
the necessity of, e.g., atomic plants etc. I think it is this
kind of mental direction that brings us all down.
I think the problem of strncpy() is that it doesn't NUL terminate
in the one, or zero-pads in the other case, which are both things
that i don't want. Therefore i think a function like the Linux
strscpy() is something than can be used in, e.g., all US-ASCII
/ Deutsch / any single-byte locale servers or other programs,
where truncating a log entry etc. is to be performed (cheaply).
Otherwise i would claim that usage of such a function is likely an
error, and should be replaced by dynamic string objects.
E.g., i still have four use cases of strscpy() in the MUA
i maintain, and they are all wrong.
|i once received a thousands-of-lines-long patch to bind8 to make it use
|snprintf and strlcpy. i rejected it, and replaced every caller whose
|starting conditions were not obvious from simple inspection with an "if"
|statement that crashed out of the current operation if the resulting
|string would not fit my assumptions.
|
|replacing overrun with truncation is not a big enough improvement to
|justify touching the code at all.
--steffen
_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
https://lists.nongnu.org/mailman/listinfo/nmh-workers