On Sat, 31 Jan 2026 at 16:13, Martin D Kealey <[email protected]> wrote:
>
>
>
> On Sat, 31 Jan 2026 at 17:37, Amit via austin-group-l at The Open Group
> <[email protected]> wrote:
>>
>> """"Basically, I am proposing that the inputs of all functions should be
>> validated.""""
>
>
> By whom? The caller? The callee? The operating system? The compiler? An
> oracle?
>
> What kind of validation? Just the things that can already be done by C
> compilers? All array bounds? Pointer (non)nullity? Object lifetime? Object
> ownership?
>
> If not the caller, where is the cross-reference data to perform the
> validation supposed to come from?
>
> Why only parameters and not return values?
>
> Can you give an example of the kind of validation you have in mind?
>
> -Martin
>
> PS: POSIX defers to the C language for the definitions of many functions; if
> you want to change those, I suspect that the ISO-9899 C Language
> Working Group would probably be a better forum to discuss this.
Something like this:
#define MAX_LENGTH_SUPPORTED 1024 * 1024 // 1 MB
char *strncpy(char *dest, const char *src, size_t n)
{
if ((!dest) || (!src)) {
return appropriate_error;
}
if (n > MAX_LENGTH_SUPPORTED) {
return appropriate_error;
}
__rest_of_the_function__
}
Please let me know if this is not the right group for this. Please
tell me which group to contact.
I have written an article on how to create secure software and I have
explained there how to figure out the limits of a function argument. I
am listing that part here.
The link to my article is:
https://marc.info/?l=linux-kernel&m=176854919905273&w=2
Figuring out the limits of a function argument:
----------------------------------------------------------------------------------------------------------------------
To find the MIN and the MAX values of your arguments, you can check how much
your function/software can support and also how much the underlying hardware
can support. Another factor to consider would be that,
"practically/realistically", how much would actually be needed by the
majority of users. For example, in general, in real life, I haven't heard of
someone needing to sort an integer array having 1 billion elements (in RAM,
not on disk). So, there is no point in supporting that many elements. Now,
let's say that you have a sorting function that sorts an integer array, and
it takes the number of array elements as an input. In this case, you can
limit the maximum number of elements to around 10% of the RAM size. On Linux,
you can get the RAM size through /proc/meminfo. Maybe you can implement a
function called get_ram_size() so that your code can run on all systems
having different RAM sizes. For example, if your system has 2 GB of RAM, then
the maximum limit would be 214,748,364 elements (around 214 million
elements). This should be enough to satisfy almost all users, but if some
people are not happy with this limit, then they can implement their own
versions of the function. Again, please don't satisfy the minority at the
expense of the majority.
Similarly, for strings, you can set the maximum length to 1 KB, or 100 KB, or
1% of the RAM size.
----------------------------------------------------------------------------------------------------------------------
Amit
