| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <d206311e-4fe6-54b6-f591-e2c11194aed2@linuxfoundation.org>
Date: Thu, 22 Jun 2023 09:30:33 -0600
From: Shuah Khan <skhan@...uxfoundation.org>
To: Kees Cook <keescook@...omium.org>,
Azeem Shaikh <azeemshaikh38@...il.com>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Valentina Manea <valentina.manea.m@...il.com>,
Shuah Khan <shuah@...nel.org>, linux-hardening@...r.kernel.org,
Hongren Zheng <i@...ithal.me>, linux-usb@...r.kernel.org,
linux-kernel@...r.kernel.org,
Shuah Khan <skhan@...uxfoundation.org>
Subject: Re: [PATCH v3] usbip: usbip_host: Replace strlcpy with strscpy
On 6/21/23 21:10, Kees Cook wrote:
> On Thu, Jun 15, 2023 at 06:05:04PM +0000, Azeem Shaikh wrote:
>> strlcpy() reads the entire source buffer first.
>> This read may exceed the destination size limit.
>> This is both inefficient and can lead to linear read
>> overflows if a source string is not NUL-terminated [1].
>> In an effort to remove strlcpy() completely [2], replace
>> strlcpy() here with strscpy().
>>
>> Direct replacement is safe here since return value of -errno
>> is used to check for truncation instead of sizeof(dest).
>>
>> [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy
>> [2] https://github.com/KSPP/linux/issues/89
>>
>> Signed-off-by: Azeem Shaikh <azeemshaikh38@...il.com>
>
> Reviewed-by: Kees Cook <keescook@...omium.org>
>
Acked-by: Shuah Khan <skhan@...uxfoundation.org>
thanks,
-- Shuah
Powered by blists - more mailing lists