11

I am currently, writing a code for string manipulation. As part of this, I am using vsnprintf().

However, compiler flashes below error message:

dont_call: vsnprintf(). Invokation of a potentially dangerous function
    that could introduce a vulnerability. remediation:
    Recommendation: Use vsprintf_s() instead!

The results with vsprintf_s() is as not expected.

What is the difference between vsnprintf() and vsprintf_s()?

Deduplicator
  • 44,692
  • 7
  • 66
  • 118
Sanman
  • 129
  • 1
  • 6
  • 13
    forget that warning, it's an attempt of microsoft's compiler to trick you into using their non-standard functions. The fact that there's also a standard `vsprintf_s()` makes it **worse**, as these are incompatible. There's nothing dangerous about a **correct** use of `vsnprintf()`. –  Sep 29 '17 at 09:18
  • 4
    To begin with, there is one [`vsprintf_s`](http://en.cppreference.com/w/c/io/vfprintf) in the standard. Then Windows and the Visual C runtime have its *own* [`vsprintf_s`](https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/vsprintf-s-vsprintf-s-l-vswprintf-s-vswprintf-s-l) which is not fully compatible with the standard C function by the same name. So first of all you need to tell us *which* function you use. – Some programmer dude Sep 29 '17 at 09:19
  • 2
    Also, you should probably ask a question about *why* your call to `vsprintf_s` isn't working as you expect it to. Including a [Minimal, Complete, and Verifiable Example](http://stackoverflow.com/help/mcve), and of course the expected and actual results. – Some programmer dude Sep 29 '17 at 09:21
  • 2
    The `_s` functions are less safe than the original ones, all things considered... IMO it is just MS throwing their toys out of the cot over the standardization process – M.M Sep 29 '17 at 12:47
  • 2
    It looks like you only ever going to hear from people that don't care about C11. It is not a MSVC error message so the "MS sucks" comments are useless. Do post your own attempt at making this work to get somewhere. – Hans Passant Oct 01 '17 at 13:20

2 Answers2

10

vsnprintf() is a perfectly fine standard function that has no security issues if used properly, especially if the format string is a string literal compatible with the arguments passed.

Microsoft deprecated this function because an attacker could take advantage of sloppy code that uses user supplied text as the format specification: carefully crafted user supplied strings could use the %n format to try and corrupt the program's data and make the program execute arbitrary code.

Using a variable format string is error prone as it is difficult to verify that the types of the arguments are compatible with this dynamically generated format string. Sensible coding conventions do not permit such code. Passing a user supplied string as a format string is completely inappropriate as it is a trivial source of undefined behavior. Disabling useful and standard functions because they could be misused and create security flaws is laudable, but in this particular case, the proposed alternatives have shortcomings.

There are 2 alternatives for vsnprintf(), standardized in Annex K, but with optional support and thus non portable across environments:

int vsprintf_s(char * restrict s, rsize_t n,
               const char * restrict format,
               va_list arg);

and

int vsnprintf_s(char * restrict s, rsize_t n,
                const char * restrict format,
                va_list arg);

These functions behave differently from vsnprintf in subtile ways:

  • Neither support the %n specifier.
  • Neither allow the size argument n to have a 0 value.
  • Neither allow the s target array to be a null pointer, which snprintf() allows if the n size is 0.
  • vsprintf_s differs from vsnprintf_s when the output string is longer than n-1: it sets the destination to the empty string, invokes the error handler and returns 0 or a negative number instead of the length of the formatted string, as both vsnprintf and vsnprintf_s do.

As commented by A T, to make matters worse, Microsoft implements different semantics in their own version of this standard functions: even the prototype for vsnprintf_s is different (as documented in the Visual Studio documentation):

int vsnprintf_s(
   char *buffer,
   size_t sizeOfBuffer,   // extra argument
   size_t count,          // special semantics for the value _TRUNCATE
   const char *format,
   va_list argptr
);

As a result of the numerous deviations from the specification the Microsoft implementation cannot be considered conforming or portable.

You did not post the code where you want a replacement for snprintf(), but a classic use case is this:

/* allocate a string formated according to `format` */
int vasprintf(char **strp, const char *format, va_list ap) {
    va_list arg;
    int ret;

    if (!strp) {
        errno = EINVAL;
        return -1;
    }

    va_copy(arg, ap);
    ret = vsnprintf(NULL, 0, format, arg);
    va_end(arg);

    *strp = NULL;
    if (ret < 0 || (*strp = malloc(ret + 1)) == NULL) {
        return -1;
    }

    return vsnprintf(*strp, ret + 1, format, ap);
}

In the above code, vnsprintf cannot be replaced with vsprintf_s because vsprintf_s cannot be used to compute the required size: it always considers a short size as an error. vsnprintf_s cannot be used as a direct replacement because it considers a NULL pointer as the target to be an error too.

The solution is simple: you can prevent Visual Studio from emitting this warning by defining a macro before including <stdio.h> in the source file:

#ifdef _MSC_VER
#define _CRT_SECURE_NO_WARNINGS  // let me use standard functions
#endif

This prevents the warning for all deprecated library functions.

Note also that it is very useful to increase the warning level and let the compiler warn about potential bugs, such as inconsistent arguments for a given format string. With gcc and clang, you can pass -Wall and other command line options to enable such behavior. For Visual Studio, you can add more warnings with /W4.

chqrlie
  • 131,814
  • 10
  • 121
  • 189
  • 1
    Would the downvoters please care to explain in comments? – chqrlie Feb 01 '18 at 19:40
  • 3
    I'm still getting drive-by DVs, too. I suspect as a knee-jerk response to recommending `#define _CRT_SECURE_NO_WARNINGS`. Potential downvoters need to read [this](http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1967.htm): "Microsoft Visual Studio implements an early version of the APIs. However, the implementation is incomplete and conforms neither to C11 nor to the original TR 24731-1. ... **As a result of the numerous deviations from the specification the Microsoft implementation cannot be considered conforming or portable.**" – Andrew Henle Feb 21 '20 at 16:28
  • @AndrewHenle: indeed Microsoft seems to make a habit of setting their own standards... See this answer for another example I just discovered: https://stackoverflow.com/a/60290128/4593267 – chqrlie Feb 29 '20 at 21:58
  • An excellent discussion. I ended up changing my own code so I am not passing a `va_list`. Additionally, my problem was caused by a format string that did not match the type of the variable passed in the `...`. It worked in Linux, but not in Windows 10 VS 2019. – Daisuke Aramaki Nov 13 '20 at 21:03
  • @AndrewHenle You wrote "drive-by DVs". That really made me laugh. More seriously: Ignore those drive-by DVs. This answer and yours are great! – kevinarpe Mar 10 '22 at 12:38
  • Too few arguments to function call, expected 5, have 4 'vsnprintf_s', see https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/vsnprintf-s-vsnprintf-s-vsnprintf-s-l-vsnwprintf-s-vsnwprintf-s-l – A T May 23 '22 at 18:29
  • @AT: amazing! I had not seen this major incompatibility between Annex K and Microsoft's versions... I shall rephrase my answer: `vsnprintf_s` **must not be used** because it definitely non portable between systems that obnoxiously push for its use and the rest of the world where it is optional and has standard but different semantics. – chqrlie May 23 '22 at 19:14
  • The prototype in VS is `int vsnprintf_s(char *buffer, size_t sizeOfBuffer, size_t count, const char *format, va_list argptr);` Passing separate arguments `sizeOfBuffer` and `count` to allow for the dubious non standard `_TRUNCATE` semantics is ridiculous: truncation can be tested trivially by comparing the return value with the buffer size argument. Use `_CRT_SECURE_NO_WARNINGS` and ditch Annex K completely. – chqrlie May 23 '22 at 19:16
8

The solution is to always add

#define _CRT_SECURE_NO_WARNINGS

as the first line of code when compiling with Visual Studio. Or maybe the second line if you're writing cross-platform code and the first line is something like #ifdef _WIN32, such as

#ifdef _WIN32
#define _CRT_SECURE_NO_WARNINGS
#endif

This will disable warnings that Microsoft has "deprecated" functions required by the C Standard.

Andrew Henle
  • 32,625
  • 3
  • 24
  • 56
  • 5
    OP did not ask for a solution to turn off the warning. He/she asked for an explanation. – arminb Sep 29 '17 at 12:37
  • 9
    @arminb Emitting warnings that a ***standards-required*** function "has been deprecated" is, IMO, deliberately misleading and therefore indefensible. That bogus warning is the root cause of much confusion, such as this very question. – Andrew Henle Sep 29 '17 at 12:41
  • 2
    I would add your comment to the answer, because it explains your solution and why you are proposing it. – arminb Sep 29 '17 at 12:46
  • @arminb I didn't think my opinions about that warning are appropriate as part of an actual answer - they're more commentary. – Andrew Henle Sep 29 '17 at 13:20
  • @AndrewHenle: I suggest testing `_MSC_VER` instead of `_WIN32` for portability to 64-bit versions. – chqrlie May 23 '22 at 19:41