From: David Lamparter Date: Mon, 20 Apr 2020 21:33:21 +0000 (+0200) Subject: doc: document strcpy & sprintf ban X-Git-Tag: base_7.4~55^2~1 X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=08cffeb5d9e3b574b8b3c574a7e163d8028e16bb;p=mirror%2Ffrr.git doc: document strcpy & sprintf ban Signed-off-by: David Lamparter --- diff --git a/doc/developer/workflow.rst b/doc/developer/workflow.rst index f283f69afb..11e6233e12 100644 --- a/doc/developer/workflow.rst +++ b/doc/developer/workflow.rst @@ -515,6 +515,28 @@ your new claim at the end of the list. * ... */ +Defensive coding requirements +----------------------------- + +In general, code submitted into FRR will be rejected if it uses unsafe +programming practices. While there is no enforced overall ruleset, the +following requirements have achieved consensus: + +- ``strcpy``, ``strcat`` and ``sprintf`` are inacceptable without exception. + Use ``strlcpy``, ``strlcat`` and ``snprintf`` instead. (Rationale: even if + you know the operation cannot overflow the buffer, a future code change may + inadvertedly introduce an overflow.) + +- buffer size arguments, particularly to ``strlcpy`` and ``snprintf``, must + use ``sizeof()`` whereever possible. Particularly, do not use a size + constant in these cases. (Rationale: changing a buffer to another size + constant may leave the write operations on a now-incorrect size limit.) + +Other than these specific rules, coding practices from the Linux kernel as +well as CERT or MISRA C guidelines may provide useful input on safe C code. +However, these rules are not applied as-is; some of them expressly collide +with established practice. + Code Formatting ---------------