unsafe snprintf

purplepants wrote on Wednesday, October 12, 2011:

The printf-stdarg.c file distributed with FreeRTOS comtains a snprintf() implementation that silently drops the ‘count’ parameter. That is, it is less safe than the normal sprintf() call since most users won’t be aware of this ‘feature’ and might take less care of buffer overflow potential than if they were forced to use sprintf(). It is difficult to overstate how bad this is. At a minimum, I would suggest that the snprintf function is either removed from the source or have a #warning show on compile.

I appreciate that printf-stdarg.c is a third-party file and only used in the demos. Nevertheless, it is included  with the FreeRTOS distribution and recommended in the FreeRTOS Reference Manual. I suspect that most users would assume that is it up the quality of other FreeRTOS code, and be completely oblivious as to the potential problem its use could cause.

rtel wrote on Wednesday, October 12, 2011:

I take your point, I will look into whether it is used anywhere, to see if taking it out would break anything.  #warning is not an option, as it would just not compile with many compilers.

The file in question is an ultra light implementation, included mainly to avoid code size bloat and very light stack usage.


purplepants wrote on Thursday, October 13, 2011:

Thanks. I realise it is meant to be a lite implementation, but ‘lite’ shouldn’t mean maliciously broken! :slight_smile:

Perhaps removing the ‘(void)count;’ line might be a reasonable halfway house - its only purpose is to prevent the compiler warning that count isn’t used, after all.

As to removing it, a search on ‘snprintf’ and replace of ‘sprintf’ will do the job - since it actually is sprintf under the bonnet, changing all calls to the real thing won’t make anything worse.