| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Nov 2010 14:26:02 +0900
From: YOSHIFUJI Hideaki <yoshfuji@...ux-ipv6.org>
To: Dmitry Torokhov <dmitry.torokhov@...il.com>
Cc: Pavel Vasilyev <pavel@...linux.ru>,
Ming Lei <tom.leiming@...il.com>,
LKML <linux-kernel@...r.kernel.org>, yoshfuji@...ux-ipv6.org
Subject: Re: [PATCH] Repalce strncmp by memcmp
2010-11-28 (Sun) 20:13 -0800, Dmitry Torokhov wrote:
> On Mon, Nov 29, 2010 at 06:11:21AM +0300, Pavel Vasilyev wrote:
> > On 29.11.2010 05:29, Ming Lei wrote:
> > > Hi,
> > >
> > > 2010/11/29 Pavel Vasilyev <pavel@...linux.ru>:
> > >> This patch replace all strncmp(a, b, c) by memcmp(a, b, c).
> > >>
> > >> I test on x86_64 (AMD Opteron 285).
> > > In fact, memcmp doesn't handle case of tail of string, so
> > > it is not safe to replace strncmp with memcmp
> > >
> > #include <stdio.h>
> > #include <errno.h>
> >
> > int main() {
> >
> > char *STR = "XXXX\0";
> > char *XXX = "XXXX";
>
> Try comparing:
>
> "XXXX\0YYYY" and
> "XXXX\0ZZZZ"
>
> and observe the difference.
>
Yes, if both of the strings are NOT known to have enough length.
It is safe to replace strncmp(a,b,n) with memcmp(a,b,n)
if a or b is/are known to have enough length; strlen(a) >= n ||
strlen(b) >= n.
I think some of the replacements in the original patch are valid,
but for even those valid replacement, I think it is worth doing
that in hot code paths only.
--yoshfuji
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists