Jim Meyering <jim <at> meyering.net> writes: > I read this: http://docs.sun.com/app/docs/doc/819-2243/mkstemps-3c?a=view > > int mkstemps(char *template, int slen); > ... > > Description > ... > > The mkstemps() function behaves the same as mkstemp(), except it > permits a suffix to exist in the template. The template should > be of the form /tmp/tmpXXXXXXsuffix. The slen parameter specifies > the length of the suffix string. > > That looks useful, but why use a signed type for that "slen" parameter?
Solaris did it because they were copying BSD, which also did that. And when git recently added git_mkstemps, they kept int. But I agree that it is stupid; and in my first attempt at a newlib implementation, I indeed had a bug where the user could pass a negative value and thus cause the library to write memory beyond the template bounds. I guess it would be nice to audit the BSD and OpenSolaris implementations to see if they have out-of-bounds bugs. > I'd suggest using size_t if you provide the function, and consider > replacing the above interface. > > Then, if it's ever standardized, perhaps they'll get it right. Maybe the thing to do is first probe the glibc waters, and see how likely mkstemps is to be accepted there (with either a broken signature or your preferred size_t signature). After all, our gen_tempname function is borrowed from glibc. I hate writing glibc bug reports for requesting new interfaces (based on the flaming I received last time I attempted that, with a request for verror), but I guess I can take the heat and do that first. -- Eric Blake
