On Tue, 29 Jun 2021 09:41:25 +0000 "Roland Gaudig (OSS)" <roland.gaudig-...@weidmueller.com> wrote:
> I think just passing the format string directly to sprintf should be > avoided because it is unsafe. For example > > => setexpr foo fmt %s 0xffffffff > > would surely lead to access on memory location outside the variable > where 0xffffffff is stored. +1. I guess Wolfgang's rationale was that in U-Boot we already have pretty serious means to break the system, so allowing the user to directly pass wrong parameters to sprintf is not that much of a problem since we can say that the user should know what they are doing. But implementing a dedicated format parser for this that is also safe is a simple exercise, imho, so I think we should do this properly, if at all. > > This was actually one of my intentions when making this suggestion - > > to be able to construct any kind of data from pieces; say, for > > example: > > > > => setexpr foo fmt "%0x08x-%s-%d-%s" $a $b $c $d > > I think the only way to support such expressions in a save way would > be implementing an own format string parser for setexpr with > corresponding checks if access is possible, instead of just directly > passing all values unchecked to sprintf. We can properly implement %s with field width, justification %c integral types (everything 64-bits, no reason for length modifiers, imho) with field width, precision, zero padding, sign forcing, etc... We don't need floating points nor out of order arguments. Marek
