<div dir="auto"><div><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Sep 16, 2020, 6:43 PM Chris Johns <<a href="mailto:chrisj@rtems.org">chrisj@rtems.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 16/9/20 11:42 pm, Joel Sherrill wrote:<br>
> snprintf() is a safe method and I strongly disagree with the blanket replacement<br>
> of many safe methods with memcpy().<br>
> <br>
> Based on what POSIX profiles snprintf() is included in and the safety and<br>
> security requirements those profiles are designed to meet, snprintf() is<br>
> supported by RTOSes that can meet DO-178 Level A.<br>
> <br>
> If the POSIX method being reviewed is in the FACE Safety Base or Safety Extended<br>
> profile, then it is OK to use and has been used in flight qualified<br>
> applications. And that is a general statement meaning running on any of a<br>
> variety of RTOSes. If the usage is incorrect, let's fix it but blanket changing<br>
> them is wrong.<br>
<br>
This is really good information, thank you.<br></blockquote></div></div><div dir="auto"><br></div><div dir="auto">No problem. That doesn't mean you can't do something stupid with it but sprintf() would be discouraged and isn't in those profiles as I recall.</div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
I see EPICS is reporting similar issues at the moment and looking to work around<br>
them.<br></blockquote></div></div><div dir="auto"><br></div><div dir="auto">And no one is questioning why? What's the risk? </div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Is there a history of why this has been added to compilers as a warning?<br></blockquote></div></div><div dir="auto"><br></div><div dir="auto">I have no idea..snprintf has a length and avoids overwrites.</div><div dir="auto"><br></div><div dir="auto">I would suggest that we find a safety or security coding standard that warns about whatever methods this catches. </div><div dir="auto"><br></div><div dir="auto">Personally replacing snprintf and strong operations with memmove is semantically wrong.</div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Chris<br>
</blockquote></div></div></div>