lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAAMvbhG40h6pqSf91BurDHQqeoKfP30bwnpvSDRHBN4Hoygqew@mail.gmail.com>
Date:   Thu, 19 Oct 2023 00:22:33 +0100
From:   James Dutton <james.dutton@...il.com>
To:     LKML Mailing List <linux-kernel@...r.kernel.org>
Subject: Is strncpy really less secure than strscpy ?

Is strncpy really less secure than strscpy ?

If one uses strncpy and thus put a limit on the buffer size during the
copy, it is safe. There are no writes outside of the buffer.
If one uses strscpy and thus put a limit on the buffer size during the
copy, it is safe. There are no writes outside of the buffer.
But, one can fit more characters in strncpy than strscpy because
strscpy enforces the final \0 on the end.
One could argue that strncpy is better because it might save the space
of one char at the end of a string array.
There are cases where strncpy might be unsafe. For example copying
between arrays of different sizes, and that is a case where strscpy
might be safer, but strncpy can be made safe if one ensures that the
size used in strncpy is the smallest of the two different array sizes.

If one blindly replaces strncpy with strscpy across all uses, one
could unintentionally be truncating the results and introduce new
bugs.

The real insecurity surely comes when one tries to use the string.
For example:

#include <stdio.h>
#include <string.h>

int main() {
        char a[10] = "HelloThere";
        char b[10];
        char c[10] = "Overflow";
        strncpy(b, a, 10);
        /* This overflows and so in unsafe */
        printf("a is  %s\n", a);
        /* This overflows and so in unsafe */
        printf("b is  %s\n", b);
        /* This is safe */
        printf("b is  %.*s\n", 10, a);
        /* This is safe */
        printf("b is  %.*s\n", 4, a);
        return 0;
}


So, why isn't the printk format specifier "%.*s" used more instead of
"%s" in the kernel?

Kind Regards

James

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ