git.ipfire.org Git - thirdparty/shadow.git/commit

author	Alejandro Colomar <alx@kernel.org>
	Sat, 26 Aug 2023 12:54:44 +0000 (14:54 +0200)
committer	Iker Pedrosa <ikerpedrosam@gmail.com>
	Fri, 15 Dec 2023 15:41:47 +0000 (16:41 +0100)
commit	8c6634d9bc625eb301502e32790e90e6a01cf420
tree	a648aeb4625da70d6d9a098418926c5af3e2d06b	tree
parent	ce4c4d4ad592ad4678b11533c5417086365fb410	commit \| diff

lib/string/sprintf.[ch]: Add [v]snprintf_()

These functions are like [v]snprintf(3), but return -1 on truncation,
which makes it easier to test.  In fact, the API of swprintf(3), which
was invented later than snprintf(3), and is the wide-character version
of it, is identical to this snprintf_().

snprintf(3) is iseful in two cases:

-  We don't care if the output is truncated.  snprintf(3) is fine for
   those, and the return value can be ignored.  But snprintf_() is also
   fine for those.

-  Truncation is bad.  In that case, it's as bad as a hard error (-1)
   from snprintf, so merging both problems into the same error code
   makes it easier to handle errors.  Return the length if no truncation
   so that we can use it if necessary.

Not returning the whole length before truncation makes a better API,
which need not read the entire input, so it's less vulnerable to DoS
attacks when a malicious user controls the input.

Use these functions to implement SNPRINTF().

Cc: Samanta Navarro <ferivoz@riseup.net>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/string/sprintf.c		diff \| blob \| blame \| history
lib/string/sprintf.h		diff \| blob \| blame \| history