lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180716114206.GA20555@nautica>
Date:   Mon, 16 Jul 2018 13:42:06 +0200
From:   Dominique Martinet <asmadeus@...ewreck.org>
To:     Jonathan Cameron <jic23@...nel.org>
Cc:     Hartmut Knaack <knaack.h@....de>,
        Lars-Peter Clausen <lars@...afoo.de>,
        Peter Meerwald-Stadler <pmeerw@...erw.net>,
        Lorenzo Bianconi <lorenzo.bianconi83@...il.com>,
        Linus Walleij <linus.walleij@...aro.org>,
        linux-iio@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 05/18] iio: change strncpy+truncation to strlcpy

Jonathan Cameron wrote on Sun, Jul 15, 2018:
> On Fri, 13 Jul 2018 03:25:34 +0200
> Dominique Martinet <asmadeus@...ewreck.org> wrote:
> > Generated by scripts/coccinelle/misc/strncpy_truncation.cocci
> > 
> > Signed-off-by: Dominique Martinet <asmadeus@...ewreck.org>
> 
> Applied to the togreg branch of iio.git and pushed out as testing
> for the autobuilders to play with it.

Thanks!

I have been pointed out that strlcpy, unlike strncpy, will read past the
size given in the input string and thus is Badâ„¢ if the input string is
not nul terminated.

After taking the time to check I believe this should not happen as the
original name seems to come from a dentry's d_name after proper
preparation (a buffer is allocated precisely for this purpose), but it
will not hurt to wait for that version.


The second reason I was waiting is that I intended to check for each
patch if it is safe to not pad the end of the string with zeroes (to
avoid e.g. information leaks) and that seems OK as well here after a
quick check but I wouldn't trust my own eyes this late so I'll let you
be judge of that if you feel like taking v1 anyway.

Otherwise, I'll recheck properly and submit a v2 with strscpy and a
better commit message after the coccinelle script is taken for inclusion
and doing a better check but this might take a while longer.


Thanks,
-- 
Dominique Martinet

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ