| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Apr 2015 13:51:42 -0700
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Chris Metcalf <cmetcalf@...hip.com>
Cc: Al Viro <viro@...iv.linux.org.uk>,
Fabian Frederick <fabf@...net.be>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Randy Dunlap <rdunlap@...radead.org>,
Rickard Strandqvist <rickard_strandqvist@...ctrumdigital.se>
Subject: Re: revert "fs/befs/linuxvfs.c: replace strncpy by strlcpy"
On Tue, Apr 28, 2015 at 12:48 PM, Chris Metcalf <cmetcalf@...hip.com> wrote:
>
> FWIW, I wanted to deal with some strncpy/strlcpy API issues last year
> and just put a "strscpy()" function in arch/tile/gxio/mpipe.c,
So quite frankly, I don't like that one either.
Some people really *do* want truncation, and your strscpy() makes that
impossible.
Also, your strscpy() implementation is actually not thread-safe: it
can return an non-terminated string if the source string isn't stable.
That can certainly be a design issue ("don't do that then"), but it
*can* be a possible source of security issues, so it's a bad idea in
something that is supposed to be secure.
And quite frankly, I think that the *only* valid reason to add another
random string copy function is that you actually get it right. We
don't need yet another half-arsed routine that can be easily misused.
We have too many of those.
Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists