Improve use of sprintf and snprintf

[jesterhodl]

A handful of code quality improvements in how we sprintf to buffers:

1. Use sizeof() in snprintf to reduce the amount of hardcoded magic values that might be needed to update in the future consistently and therefore potentially lead to bugs. Also using sizeof() can catch certain classes of issues at compile time, eg. warning: ‘snprintf’ output may be truncated before the last format character [-Wformat-truncation=] or note: ‘snprintf’ output between 2 and 512 bytes into a destination of size 511

2. use 1024 bytes for userpass buffer consistently, this was found by using sizeof() above, actually

3. C99 snprintf() is OK to be called without subtracting 1 byte, we can stop bother to null terminate

4. prefer safer snprintf() instead sprintf() in places I found it makes sense

[luke-jr]

Each of user and pass accept up to 1023 bytes, so maybe for consistency this should be (1023 * 2) + 2?

[jesterhodl]

There' further inconsistency.
datum_conf.h says:

typedef struct {
        char bitcoind_rpcuser[256];
        char bitcoind_rpcpassword[256];

datum_conf.c has max_string_length set to 128 and it does truncate to 128

so maximum userpass would be even less: 127*2+2, but I suggest to focus this one on the userpass and snprintf bits and leave aligning that with datum_conf.c and datum_conf.h in a seprate PR.

[luke-jr]

Indeed, I was mixing it up with pool_host/pubkey.

Just be careful with the one case it's reused for a file path.

[jesterhodl]

Aside from the path reuse case. How about we populate the userpass once at startup, and access as a config variable, instead of reconstructing it all the time in 5 files?

[jesterhodl]

Next commit shows what I meant. Do the userpass thing just one time, keep it global, similarly to how is set once datum_protocol_global_timeout_ms. This eliminates all those multiple snprintf()s
I've also thrown in some other goodies:

• in order to stop populating userpass over and over again, populate once and reuse
• in order to eliminate discrepancies between char array sizes, use sizeof() in max_string_length of datum_config_options
• introduce a warning in case a config option is truncated
• where userpass was reused for a filepath, create a separate variable
• reduce user and pass to 128 bytes
• exit during config upon parsing error, makes more sense to me

[jesterhodl]

Is this fine?

[luke-jr]

msg->msg is a char*, so this will only be the size of a pointer and truncate all log messages...

[jesterhodl]

Ouch, it shows I didn't check the underlying type because I thought this is the place with a char[]. Sorry!

We can revert to 1023, especially because log_line that gets written to the file is 1200, so if we subtract about 80 bytes for the timestamp, function name and log level, we could fit about 1100 bytes, so that's fine.

But I found something else here: the return value of vsnprintf is not checked and has an effect.

In case of messages larger than 1023 it would waste a bit of the circular buffer. This is because when vsnprintf truncates it returns the untruncated length of the data. So, if it is >= 1023, then msg_buf_idx is moved by more than it really needs to, causing waste of the buffer. eg. 4000 instead of 1023:
msg_buf_idx[buffer_id] += i+2; // moved by 4000 but we truncated to 1023

If I am reading this right then I would suggest a quick check of the return value.

        i = vsnprintf(msg->msg, 1023, format, args);

        // clamp i to actual written value in order not to waste buffer space
        if (i >= 1023) {
                i = 1022;
        }

Thoughts?

[luke-jr]

Sounds fine

[luke-jr]

(same as above)

[jesterhodl]

as above

[luke-jr]

(same as above, and also for datum_submitblock_doit)

[jesterhodl]

as above

[luke-jr]

Let's just replace these with bitcoind_rpcuserpass rather than the userpass global?

[jesterhodl]

ok, removed the global. In order to easily parse user and pass from the config I made rpcuser and rpcpassword char arrays in datum_conf.c. Is what's in the last commit ok? c320b45

[luke-jr]

That moves the individual user/pass to globals :(

Maybe check out what I did in #60

[jesterhodl]

Yeah, I initially wanted to just put rpcuserpass in global_config_t, and I really wanted to some how get rid of bitcoind_rpcuser and bitcoind_rpcpassword from it as you said (replace). That would require copying the user and password parts into the same array and "rejigging" it to put the colon in (%s:%s)

That would allow to get rid of rpcuser and rpcpassword, but I didn't like it.
Which do you prefer: trying to drop rpcuser and rpcpassword completely or keeping all 3 (user, pass, userpass)?

[jesterhodl]

yeah, so I thought you originally wanted to completely remove rpcuser and rpcpassword in favour of a joint field, that's why my previous comment was kinda odd/stupid :-|
The #60 shows you're ok with putting userpass to the config, so I did that.
I can rebase after you get #60 in.

[luke-jr]

Should drop this?

[jesterhodl]

Because we set NUL at 1199 anyway? We can. I just wanted to reduce relying on hardcoded lengths and make the code use defined char arrays sizes and recommended ways to call the "snprintf family".

char log_line[1200];

// ...

if (log_calling_function) {
                                        j = snprintf(log_line, sizeof(log_line), "%s.%03d [%44s] %s: %s\n", time_buffer, millis, msg->calling_fu>
                                } else {
                                        j = snprintf(log_line, sizeof(log_line), "%s.%03d %s: %s\n", time_buffer, millis, level_text[msg->level]>
                                }

What do you think?