From b53e6d77742d8a1559bb0b5caece780d450ba16a Mon Sep 17 00:00:00 2001 From: Inaky Perez-Gonzalez Date: Tue, 22 Nov 2016 11:20:55 -0800 Subject: [PATCH] libc/minimal: snprintf(): KILL negative len parameter snprintf() implements the ability to foce a negative value through the (unsigned) size_t len parameter to allow the formatter to use a maximum size string. This is point less, we don't have as much memory and this is a recipe for all kinds of vulnerabilities. Kill the whole thing, the testcase it represents and thank Coverity for finding this thing. Whatever use it had before, it has no more. Change-Id: If422246548664699d8aa328a1b9304ef13cab7ea Coverity-ID: 131625 Coverity-ID: 131626 Signed-off-by: Inaky Perez-Gonzalez --- lib/libc/minimal/source/stdout/sprintf.c | 16 ++------ tests/kernel/test_sprintf/src/test_sprintf.c | 41 -------------------- 2 files changed, 4 insertions(+), 53 deletions(-) diff --git a/lib/libc/minimal/source/stdout/sprintf.c b/lib/libc/minimal/source/stdout/sprintf.c index 98dcabf0eca..081312046d0 100644 --- a/lib/libc/minimal/source/stdout/sprintf.c +++ b/lib/libc/minimal/source/stdout/sprintf.c @@ -45,12 +45,8 @@ int snprintf(char *_Restrict s, size_t len, const char *_Restrict format, ...) int r; char dummy; - if ((int) len <= 0) { - if (len == 0) { - s = &dummy; /* write final NUL to dummy, since can't change *s */ - } else { - len = 0x7fffffff; /* allow up to "maxint" characters */ - } + if (len == 0) { + s = &dummy; /* write final NUL to dummy, can't change *s */ } p.ptr = s; @@ -88,12 +84,8 @@ int vsnprintf(char *_Restrict s, size_t len, const char *_Restrict format, va_li int r; char dummy; - if ((int) len <= 0) { - if (len == 0) { - s = &dummy; /* write final NUL to dummy, since can't change *s */ - } else { - len = 0x7fffffff; /* allow up to "maxint" characters */ - } + if (len == 0) { + s = &dummy; /* write final NUL to dummy, can't change * *s */ } p.ptr = s; diff --git a/tests/kernel/test_sprintf/src/test_sprintf.c b/tests/kernel/test_sprintf/src/test_sprintf.c index ea5b6962893..ed76b86f04b 100644 --- a/tests/kernel/test_sprintf/src/test_sprintf.c +++ b/tests/kernel/test_sprintf/src/test_sprintf.c @@ -235,27 +235,6 @@ int vsnprintfTest(void) int status = TC_PASS; char buffer[100]; - /* - * The string size may be handled in a non-standard manner. - * If a negative value is supplied for the string size, it is converted - * to 0x7fffffff--maximum integer size. Since there is insufficient - * memory to test a string of that length, we just check that the string - * was fully written so that we can exercise the code path. - */ - buffer[0] = '\0'; - len = tvsnprintf(buffer, (size_t)(-4), "%x", DEADBEEF); - if (len != strlen(DEADBEEF_LHEX_STR)) { - TC_ERROR("vsnprintf(%%x). Expected return value %d, not %d\n", - strlen(DEADBEEF_LHEX_STR), len); - status = TC_FAIL; - } - - if (strcmp(buffer, DEADBEEF_LHEX_STR) != 0) { - TC_ERROR("vsnprintf(%%x). Expected '%s', got '%s'\n", - DEADBEEF_LHEX_STR, buffer); - status = TC_FAIL; - } - /*******************/ buffer[0] = '\0'; len = tvsnprintf(buffer, 0, "%x", DEADBEEF); @@ -356,26 +335,6 @@ int snprintfTest(void) int status = TC_PASS; char buffer[100]; - /* - * The string size may be handled in a non-standard manner. - * If a negative value is supplied for the string size, it is converted - * to 0x7fffffff--maximum integer size. Since there is insufficient - * memory to test a string of that length, we just check that the string - * was fully written so that we can exercise the code path. - */ - buffer[0] = '\0'; - len = snprintf(buffer, (size_t)(-4), "%x", DEADBEEF); - if (len != strlen(DEADBEEF_LHEX_STR)) { - TC_ERROR("snprintf(%%x). Expected return value %d, not %d\n", - strlen(DEADBEEF_LHEX_STR), len); - status = TC_FAIL; - } - - if (strcmp(buffer, DEADBEEF_LHEX_STR) != 0) { - TC_ERROR("snprintf(%%x). Expected '%s', got '%s'\n", - DEADBEEF_LHEX_STR, buffer); - status = TC_FAIL; - } /*******************/ buffer[0] = '\0';