Logo

dev-resources.site

for different kinds of informations.

TIL C11 Annex K exists but you shouldn't use it

Published at
11/2/2024
Categories
c
todayilearned
Author
jcbhmr
Categories
2 categories in total
c
open
todayilearned
open
Author
6 person written this
jcbhmr
open
TIL C11 Annex K exists but you shouldn't use it

Annex K is the technical name. Other common keywords are __STDC_LIB_EXT1__ and __STDC_WANT_LIB_EXT1__. Annex K defines the "secure" _s suffix stuff like sprintf_s() and scanf_s().

Also check out Field experience with Annex K (2015) and the Bounds checking - cppreference.com technical documentation.

The goal

What's the point of the _s() functions? They check their arguments for more invariants like "will call the constraint handler if the stream is null, the string is null, the bufsz is zero, or the buffer would write out-of-bounds beyond the specified length". That seems like a good idea, right? Yeah! It does!

The gist of it is that you can/could do this:

#define __STDC_WANT_LIB_EXT1__ 1
#include <stdio.h>

int main() {
  printf_s("Hello %s!\n", "Alan Turing");
  return 0;
}
Enter fullscreen mode Exit fullscreen mode

How does that compare to the normal way of doing things without __STDC_WANT_LIB_EXT1__?

Happy path

FILE *file = fopen("hello.txt", "r");
// file is OK.
Enter fullscreen mode Exit fullscreen mode
FILE *file;
errno_t err = fopen_s(&file, "hello.txt", "r");
// file is OK
Enter fullscreen mode Exit fullscreen mode

Sad path

FILE *file = fopen("notexist.txt", "r");
// file is NULL, errno is set.
Enter fullscreen mode Exit fullscreen mode
FILE *file;
errno_t err = fopen_s(&file, "notexist.txt", "r");
// file is NULL, err is set.
Enter fullscreen mode Exit fullscreen mode

Bad path

FILE *file = fopen(NULL, NULL);
// idk.
Enter fullscreen mode Exit fullscreen mode
FILE *file;
errno_t err = fopen_s(&file, NULL, NULL);
// Constraint violated. Abort with message.
Enter fullscreen mode Exit fullscreen mode

Yes, you can customize the constraint handler to just log to a file and continue on as though nothing happened.

set_constraint_handler_s(ignore_handler_s);
set_constraint_handler_s(abort_handler_s);
set_constraint_handler_s(my_awesome_handler);
Enter fullscreen mode Exit fullscreen mode

Notice how the normal fopen() has the same return value (possibly different errno) to indicate different levels of bad-ness of errors? That's kinda what this fopen_s() was trying to improve. At least, that's my reading of it. I think of it like Rust's panic!() vs a returned Result<String, std::io::Error>. It also probably helps stop some buffer overflow attacks by providing size_of_dest arguments to avoid overflowing any dest buffers like strcpy_s() and gets_s().

char* gets( char* str ); // (removed in C11)
char* gets_s( char* str, rsize_t n ); // (since C11, annex K)

Reads stdin into the character array pointed to by str until a newline character is found or end-of-file occurs. A null character is written immediately after the last character read into the array. The newline character is discarded but not stored in the buffer.

The gets() function does not perform bounds checking, therefore this function is extremely vulnerable to buffer-overflow attacks. It cannot be used safely (unless the program runs in an environment which restricts what can appear on stdin). For this reason, the function has been deprecated in the third corrigendum to the C99 standard and removed altogether in the C11 standard. fgets() and gets_s() are the recommended replacements.

WARNING: Never use gets().

// BAD
char buffer[1000];
gets(buffer);
// ⚠️ Could write >1000 chars to `buffer`!
Enter fullscreen mode Exit fullscreen mode
// GOOD
char buffer[1000];
gets_s(buffer, sizeof(buffer));
// This will stop at 1000 chars.
Enter fullscreen mode Exit fullscreen mode

The _s() function seems pretty nice to stop common places where buffer overflows can happen.

The problem

They aren't implemented everywhere. The _s() functions are an extension that isn't available in libc implementations like GNU's glibc. There's other minor issues like it not being ergonomic for multithreading and the common mistake of doing sizeof(src) instead of sizeof(dest) for things like strcpy_s(), but that all pales in comparison to the availablity problem.

Most online information I can find seems to indicate that MSVC is the only major compiler/libc that has implemented Annex K.

Given that these fancy _s() functions aren't everywhere that your code needs to compile you'd need to write code like this:

#define __STDC_WANT_LIB_EXT1__ 1
#include <stdio.h>

int main() {
#ifdef __STDC_LIB_EXT1__
    printf_s("data results: %s, %d, %lu\n", a, b, c);
#else
    printf("data results: %s, %d, %lu\n", a, b, c);
#endif
}
Enter fullscreen mode Exit fullscreen mode

...for every instance that you want to do strlen_s() or fopen_s() or strcpy_s(). That's a good way to go insane.

So obviously you're not going to write platform-dependent code just to do basic printf() and strcpy() but what about wrapping all that #ifdef __STDC_LIB_EXT1__ #else stuff in a library?

There were two promising-looking libraries that I found via a quick Google search:

So... if you want to (or are required to by security stuff) to use _s() functions but also don't want to limit yourself to just MSVC then you can use one of those ☝ libraries.

📚 For more reading check out Field experience with Annex K (2015) and the Bounds checking - cppreference.com technical documentation.

todayilearned Article's
30 articles in total
Favicon
My First Post and Introduction
Favicon
Guess what? You can make a game inside a PDF!
Favicon
TIL: Tag Function / Tagged Template Literals
Favicon
update notepad++
Favicon
TIL: Styling Obsidian text paragraphs
Favicon
Today I Learned...
Favicon
Outlook tìm mail nhận trong khoảng thời gian xác định
Favicon
TIL: using --no-deps with docker compose
Favicon
TIL: LIFO Solution and Regular Exprresion Techniques【CodeWars】
Favicon
Scrum Fundamentals Certification (SFC) | Study Notes - Part I: Introduction
Favicon
Downloading the same file 102+ times
Favicon
Build Golang from Source for v1.23+
Favicon
3 Myths, 3 Facts, and 3 Strategies to Scale Node.js Apps
Favicon
How to Validate Inputs Using Only HTML
Favicon
Turning a Customer Security Concern into a Feature
Favicon
Opposite Colours Tool
Favicon
Work Life Balance
Favicon
Is This a Good Way to Reduce Operational Costs?
Favicon
TIL: How to Trim Trailing Zeros【CodeWars】
Favicon
Why 1% - 1% Isn't Zero in Your Calculator (And What It Really Means)
Favicon
What I’ve Learned from Building a Calculator with Vue.js
Favicon
Starting to Rust
Favicon
TIL C11 Annex K exists but you shouldn't use it
Favicon
Be careful with join type typos
Favicon
The Role of AI in Financial Services: Opportunities and Challenges
Favicon
Starting to Rust
Favicon
Getting Started with the TMDB API: A Beginner's Guide
Favicon
TIL emalloc() auto-exits on out-of-memory errors
Favicon
TIL: How To Use the Specification Pattern in C# To Simplify Repositories
Favicon
Devops Foundation - Day1

Featured ones: