mailing list archives
Re: better snprintf replacement, anyone?
From: scoile () PATRIOT NET (Steve \)
Date: Mon, 21 Jul 1997 08:05:34 -0400
On Sat, 19 Jul 1997, Theo de Raadt wrote:
Quite often I find people saying to me "Why do you use snprintf() all
over the place to avoid buffer overflows, and not try to use other
techniques. Using snprintf() makes it hard for us to port the code to
It's still not clear to me why people only suggest snprintf().
I would imagine that there are only a few cases were a program coulnd't
pre-determine the length of a string that would be generated by sprintf()
and malloc() enough memory to contain it all. Yes, it's a little extra
work to strlen() all the variables you're pulling in, but you ensure that
you have a large enough buffer, you eliminate the buffer overflow problem,
and you don't truncate the string. Is malloc()-ing the memory *that*
inefficient? Less efficient than the scanning and parsing snprintf()
must do to the format string?
Steve Coile P a t r i o t N e t Systems Engineering
scoile () patriot net Patriot Computer Group (703) 277-7737