[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <cf6950bc-32c8-459c-a4b1-ca0a291fc2f8@infradead.org>
Date: Wed, 18 Oct 2023 19:27:20 -0700
From: Randy Dunlap <rdunlap@...radead.org>
To: Bagas Sanjaya <bagasdotme@...il.com>,
James Dutton <james.dutton@...il.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Cc: Justin Stitt <justinstitt@...gle.com>,
Calvince Otieno <calvncce@...il.com>,
Azeem Shaikh <azeemshaikh38@...il.com>,
Kees Cook <keescook@...omium.org>,
Andy Shevchenko <andy@...nel.org>
Subject: Re: Is strncpy really less secure than strscpy ?
On 10/18/23 18:49, Bagas Sanjaya wrote:
> [Disclaimer: I have little to no knowledge of C, so things may be wrong.
> Please correct me if it is the case. Also Cc: recent people who work on
> strscpy() conversion.]
>
Also Cc: the STRING maintainers.
> On Thu, Oct 19, 2023 at 12:22:33AM +0100, James Dutton wrote:
>> Is strncpy really less secure than strscpy ?
>>
>> If one uses strncpy and thus put a limit on the buffer size during the
>> copy, it is safe. There are no writes outside of the buffer.
>> If one uses strscpy and thus put a limit on the buffer size during the
>> copy, it is safe. There are no writes outside of the buffer.
>
> Well, assuming that the string is NUL-terminated, the end result should
> be the same.
>
>> But, one can fit more characters in strncpy than strscpy because
>> strscpy enforces the final \0 on the end.
>> One could argue that strncpy is better because it might save the space
>> of one char at the end of a string array.
>> There are cases where strncpy might be unsafe. For example copying
>> between arrays of different sizes, and that is a case where strscpy
>> might be safer, but strncpy can be made safe if one ensures that the
>> size used in strncpy is the smallest of the two different array sizes.
>
> Code example on both cases?
>
>>
>> If one blindly replaces strncpy with strscpy across all uses, one
>> could unintentionally be truncating the results and introduce new
>> bugs.
>>
>> The real insecurity surely comes when one tries to use the string.
>> For example:
>>
>> #include <stdio.h>
>> #include <string.h>
>>
>> int main() {
>> char a[10] = "HelloThere";
>> char b[10];
>> char c[10] = "Overflow";
>> strncpy(b, a, 10);
>> /* This overflows and so in unsafe */
>> printf("a is %s\n", a);
>> /* This overflows and so in unsafe */
>> printf("b is %s\n", b);
>> /* This is safe */
>> printf("b is %.*s\n", 10, a);
>> /* This is safe */
>> printf("b is %.*s\n", 4, a);
>> return 0;
>> }
>
> What if printf("a is %.*s\n", a);?
>
>>
>>
>> So, why isn't the printk format specifier "%.*s" used more instead of
>> "%s" in the kernel?
>
> Since basically strings are pointers.
>
> Thanks.
>
--
~Randy
Powered by blists - more mailing lists