[Info-vax] VAX Macro to C conversion
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Fri Jul 26 16:24:17 EDT 2019
On 2019-07-26 02:26:06 +0000, Craig A. Berry said:
> De facto being strlcpy and friends from the BSD folks and mostly
> adopted with a bit of whinging by the Linux folks,
I've used the strl calls rather more than not, as that's more widely
available on target platforms. OpenVMS excepted.
C, C++, BASIC, Fortran, most (all?) of the development tooling are all
in need of updates, and VSI probably has more work pending than even
they might imagine...
> or strcpy_s and friends from the Microsoft folks, the latter of which
> did/paid more to influence the latest standard such that it has the
> Annex K with the "_s" functions in it, but which no one but Microsoft
> is likely to implement as part of their standard library.
safec library with annex K support is available on github with an
MIT/BSD license, for those that are inclined.
https://github.com/rurban/safeclib
The _s APIs look reasonable, and save some glue-coding to verify both
source and target buffers.
http://www.informit.com/articles/article.aspx?p=2036582&seqNum=5
> There are differences of opinion about which interfaces are least
> likely to be subject to programmer mistakes, but the basic principle of
> checking buffer boundaries but also stopping on a NUL byte are the
> same. And totally different from how descriptors and counted strings
> work.
I'm avoiding the str calls for strn and/or the strl calls, where that
replacement is feasible.
https://wiki.sei.cmu.edu/confluence/display/c/STR03-C.+Do+not+inadvertently+truncate+a+string
https://wiki.sei.cmu.edu/confluence/display/c/STR07-C.+Use+the+bounds-checking+interfaces+for+string+manipulation
etc.
More generally, there's a whole lot of useful hardening-related app
development and testing steps to be learned from other platforms. And
tooling.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list