Menu
What's the best one-stop-shop "safe" C library solution on the Mac? I use quotes on "safe"/"unsafe" because there is much debate as to the benefits of certain Standard Library functions or their putatively improved alternatives.
Many traditional Standard C Library functions (e.g., vfprintf) are considered to be unsafe due to the potential for buffer overflow or other security problems.
On Windows, the Microsoft C/C++ compilers provide the "_s" functions (e.g., vfprintf_s) as a safer alternative to the standard library calls. These functions are not drop-in replacements since they have the different signatures necessary to provide additional safety information (e.g., buffer length). They also provide other features such as invalid format string detection, different file security, etc. As far as I know, this implementation is not available on the Mac.
Does Apple (or a third party) provide anything similar for use with GCC on OSX?
In particular, I'm looking for "safe" implementations of at least the following functions:
fopen vfprintf vsprintf sprintf strncpy strcpy strcat
Please note: This question is about the Mac. I am NOT asking for your opinions about Microsoft's implementation (unless it's available on the Mac.) Although some of these functions might be easy to write myself, not all are. I am NOT asking how to write these myself. I'm NOT asking for tips on how to use STL classes to do this. I'm NOT asking how to turn off warnings. My particular needs are very specific. I'm trying to identify a best-practice Mac API that is as similar as possible to the traditional C library calls while adding safety. Of course a portable implementation that works on Mac and Windows (and other operating systems) would be even better.
748
Problem with strcpy(): The strcpy() function does not specify the size of the destination array, so buffer overrun is often a risk. Using strcpy() function to copy a large character array into a smaller one is dangerous, but if the string will fit, then it will not be worth the risk.
In particular, I'm looking for "safe" implementations of at least the following functions: fopen vfprintf vsprintf sprintf strncpy strcpy strcat ...
I'm trying to identify a best-practice Mac API that is as similar as possible to the traditional C library calls while adding safety.
That's easy. Checkout the Apple Secure Coding Guide. Apple happens to use the BSD "safer" functions.
Related: while Apple and Microsoft provide safer functions, Linux does not. GNU C did not include "Bounds checking Interfaces" (ISO's TR24731) because folks like Ulrich Drepper (a GNU libc gatekeeper) objected. He objected because only the destination buffer was specified. He called the "safer" function BSD Crap. For Drepper's quote, see Re: PATCH: safe string copy and concetation on the Sourceware mailing list.
Following Drepper's advice will lead to spectacular failures. CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 (also known as Multiple buffer overflows in libupnp) for the win! Its too bad libupnp followed Drepper's and ignored best practices and discarded "safer" functions. I wonder how many millions of routers and gateways remain unpatched even today...
56
SUMMARY: on Mac, there are several APIs and compiler options that provide safer alternatives to C Standard Library functions. Here are some of them compared with Microsoft's "safe" APIs:
C MSVC PROVIDERS MAC SOLUTION --------------------------------------------------------------------------------- fopen fopen_s C none, assume fopen is safe vfprintf vfprintf_s GCC GCC_WARN_TYPECHECK_CALLS_TO_PRINTF(1) vsprintf vsprintf_s GCC, C99 GCC_WARN_TYPECHECK_CALLS_TO_PRINTF, vsnprintf(2) sprintf sprintf_s GCC, C99 GCC_WARN_TYPECHECK_CALLS_TO_PRINTF, snprintf(3) strncpy strncpy_s BSD strlcpy(4) strcpy strcpy_s BSD strlcpy strcat strcat_s BSD strlcat(5)
(1) GCC_WARN_TYPECHECK_CALLS_TO_PRINTF is an XCode configuration option which corresponds to the GCC command-line option -Wformat. This option produces compiler warnings of disagreement between argument types and static format strings. There are a variety of other options to control GCC's treatment of format strings. You can even use GCC's format function attribute to enable format string checking on your own functions.
(2) vsnprintf and (3) snprintf are from the C99 version of the C Standard Library (available in GCC on Mac but not in MSVC on Windows).
(4) strlcpy and (5) strlcat are BSD library functions, available on Mac.
43
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
