lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 Oct 2023 18:19:01 -0700
From: Kees Cook <>
To: Justin Stitt <>
Cc: Stanislav Yakovlev <>,
	Kalle Valo <>,,,
Subject: Re: [PATCH v2] wifi: ipw2x00: replace deprecated strncpy with

On Tue, Oct 17, 2023 at 09:48:15PM +0000, Justin Stitt wrote:
> strncpy() is deprecated for use on NUL-terminated destination strings
> [1] and as such we should prefer more robust and less ambiguous string
> interfaces.
> `extra` is intended to be NUL-terminated which is evident by the manual
> assignment of a NUL-byte as well as its immediate usage with strlen().
> Moreover, many of these getters and setters are NUL-padding buffers with
> memset():
> 2439  |	memset(&tx_power, 0, sizeof(tx_power));
> 9998  | memset(sys_config, 0, sizeof(struct ipw_sys_config));
> 10084 | memset(tfd, 0, sizeof(*tfd));
> 10261 | memset(&dummystats, 0, sizeof(dummystats));
> ... let's maintain this behavior and NUL-pad our destination buffer.
> Considering the above, a suitable replacement is `strscpy_pad` due to
> the fact that it guarantees both NUL-termination and NUL-padding on the
> destination buffer.
> To be clear, there is no bug in the current implementation as
> MAX_WX_STRING is much larger than the size of the string literals being
> copied from. Also, strncpy() does NUL-pad the destination buffer and
> using strscpy_pad() simply matches that behavior. All in all, there
> should be no functional change but we are one step closer to eliminating
> usage of strncpy().
> Do note that we cannot use the more idiomatic strscpy invocation of
> (dest, src, sizeof(dest)) as the destination buffer cannot have its size
> determined at compile time. So, let's stick with (dest, src, LEN).

Yeah, these interfaces have external buffer size declarations. In this

This is probably one of the most difficult set of callbacks to track
down. sysfs might be worse...

But, ultimately, this is a private ioctl handler, and it is all boiled
down to calling ioctl_private_iw_point() (via ioctl_private_call()),
which does the allocation of "extra". The size, which is not passed to
the handler (*sob*), is determined by: get_priv_descr_and_size(), which
is looking at drivers/net/wireless/intel/ipw2x00/ipw2200.c's

         .cmd = IPW_PRIV_GET_MODE,
         .name = "get_mode"},

So it looks good to me.

Reviewed-by: Kees Cook <>

Kees Cook

Powered by blists - more mailing lists