This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Implementation of C11 Bounds-checking interfaces
- From: Ulrich Bayer <ubayer at sba-research dot org>
- To: Rich Felker <dalias at aerifal dot cx>
- Cc: <libc-alpha at sourceware dot org>
- Date: Thu, 1 Nov 2012 21:26:58 +0100
- Subject: Re: Implementation of C11 Bounds-checking interfaces
- References: <509132DA.9060503@sba-research.org> <CAE2sS1iRjP4FakjCCJ4tRA90UdUY-sd+eU9h27h_Hm89r7_VDA@mail.gmail.com> <Pine.LNX.4.64.1210311714370.7365@digraph.polyomino.org.uk>
> I definitely like the idea of keeping it separate, but I question the
> amount of code duplication. For example, tmpfile_s does not need to
> reimplement tmpfile in terms of mkstemp; in fact, such an
> implementation does not conform to ISO C since it references POSIX
> symbols outside the ISO C namespace. A much simpler implementation
> would just be:
>
> errno_t tmpfile_s(FILE * restrict * restrict streamptr)
> {
> if (!streamptr) {
> RUNTIME_CONSTRAINT_HANDLER();
> return EINVAL;
> }
> *streamptr = tmpfile();
> return *streamptr ? 0 : errno;
> }
You raise a good point. tmpfile_s is a special case.
1) I was under the impression that tmpfile fails to provide exclusive access. I did not check whether that is true for glibc.
2) We decided to extend the ISO functionality of tmpfile_s by adding functions that allow setting and retrieving
the temporary directory where tmpfile_s and tmpnam_s create files. If you set this temporary directory to a non-shared
directory even the use of tmpnam becomes okay imho because no one else can write files there. We were mainly following:
https://www.securecoding.cert.org/confluence/display/seccode/FIO43-C.+Do+not+create+temporary+files+in+shared+directories
Whether this is useful can be discussed of course.
Ulrich