| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAK8P3a3zQm7zJWprcYq47VZD0ZZsuOTR3w7a8k78VH=3he2Fdw@mail.gmail.com>
Date: Tue, 21 Dec 2021 10:23:38 +0100
From: Arnd Bergmann <arnd@...db.de>
To: Jason Wang <wangborong@...rlc.com>
Cc: Jakub Kicinski <kuba@...nel.org>,
David Miller <davem@...emloft.net>,
Arnd Bergmann <arnd@...db.de>, Jason Gunthorpe <jgg@...pe.ca>,
Networking <netdev@...r.kernel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] net: dl2k: replace strlcpy with strscpy
On Tue, Dec 21, 2021 at 8:14 AM Jason Wang <wangborong@...rlc.com> wrote:
>
> The strlcpy should not be used because it doesn't limit the source
> length. So that it will lead some potential bugs.
>
> But the strscpy doesn't require reading memory from the src string
> beyond the specified "count" bytes, and since the return value is
> easier to error-check than strlcpy()'s. In addition, the implementation
> is robust to the string changing out from underneath it, unlike the
> current strlcpy() implementation.
>
> Thus, replace strlcpy with strscpy.
>
> Signed-off-by: Jason Wang <wangborong@...rlc.com>
Are you trying to eliminate strlcpy() from all 800 files using it
completely? If not, I don't see a need to fix individual drivers
that use a constant source string and don't use the return
code, as the behavior should be the same.
While it seems reasonable to converge towards a more robust
string copy, none of the points you list in the changelog apply to
the function you patch here.
Arnd
Powered by blists - more mailing lists