<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 11/26/2019 7:41 AM, Michael Wojcik
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DM5PR18MB098758110749FACAB6FE2899F9450@DM5PR18MB0987.namprd18.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
<div style="font-family: Calibri,Arial,Helvetica,sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
The Appendix K functions (memcpy_s, etc) do NOT "remove buffer
overflow kind of issues completely", and anyone who thinks they
do is making a serious error. The Appendix K functions impose an
additional check. That's all they do. It is possible, and in
some use cases quite easy, for the developer to pass the wrong
value for the destsz parameter and invalidate that check.<br>
</div>
<div style="font-family: Calibri,Arial,Helvetica,sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<br>
Some C experts have argued that the length-checking versions of
the library functions, either the C90 ones such as strncat or
the Appendix K ones, are essentially pointless anyway; that the
caller needs to handle truncation and so ought to know whether
truncation (or overflow) would occur before attempting the
operation.<br>
</div>
</blockquote>
<br>
I was initially a fan of them when I first heard of them, but have
since soured on them, as have others. They are very nearly useless
for libraries, because their behavior is controlled on a
process-global basis. The library cannot assume that the "bad"
cases will result in aborts, because the application might have
chosen to have them return errors instead. That means that the
library has to check for and handle all of those "should be
impossible" error cases.<br>
<br>
Here's a paper on the subject:
<a class="moz-txt-link-freetext" href="http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1967.htm">http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1967.htm</a><br>
<pre class="moz-signature" cols="72">--
Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris</pre>
</body>
</html>