From 08cffeb5d9e3b574b8b3c574a7e163d8028e16bb Mon Sep 17 00:00:00 2001 From: David Lamparter Date: Mon, 20 Apr 2020 23:33:21 +0200 Subject: [PATCH] doc: document strcpy & sprintf ban Signed-off-by: David Lamparter --- doc/developer/workflow.rst | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/doc/developer/workflow.rst b/doc/developer/workflow.rst index f283f69afb..11e6233e12 100644 --- a/doc/developer/workflow.rst +++ b/doc/developer/workflow.rst @@ -515,6 +515,28 @@ your new claim at the end of the list. * ... */ +Defensive coding requirements +----------------------------- + +In general, code submitted into FRR will be rejected if it uses unsafe +programming practices. While there is no enforced overall ruleset, the +following requirements have achieved consensus: + +- ``strcpy``, ``strcat`` and ``sprintf`` are inacceptable without exception. + Use ``strlcpy``, ``strlcat`` and ``snprintf`` instead. (Rationale: even if + you know the operation cannot overflow the buffer, a future code change may + inadvertedly introduce an overflow.) + +- buffer size arguments, particularly to ``strlcpy`` and ``snprintf``, must + use ``sizeof()`` whereever possible. Particularly, do not use a size + constant in these cases. (Rationale: changing a buffer to another size + constant may leave the write operations on a now-incorrect size limit.) + +Other than these specific rules, coding practices from the Linux kernel as +well as CERT or MISRA C guidelines may provide useful input on safe C code. +However, these rules are not applied as-is; some of them expressly collide +with established practice. + Code Formatting --------------- -- 2.39.5