>In message: <20040425044912.94DFEA655@zen.crufty.net>
>            sjg@crufty.net (Simon J. Gerraty) writes:
>: cp += snprintf(...)

>Maybe people shouldn't do that at all.  No need to have a cp +=
>safe_sprintf() because the code is still wrong in the buffer overflow
>case: if it returns 0, future uses of cp will be wrong.

Not so (and as someone pointed out, save_snprintf() should actually
return the amount of buffer consumed - which just happens to be 0 in
the case where there was no room left).

There's nothing wrong with doing a bunch of

cp += safe_snprintf(cp, ep - cp, ....)

followed by if (cp >= ep) oops!;
Ie. there is no overflow issue and you can detect the error as early/late
as you like.

>So what you propose would fix the 'negativge offset' issue, but not
>deeper issues.

What deeper issue?

Adding the means for safe_snprintf to panic when no space available
would be quite useful too.  Controlled by #if DIAGNOSTIC and/or a sysctl 
perhaps.

--sjg