| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241011193047.0b788145@gandalf.local.home> Date: Fri, 11 Oct 2024 19:30:47 -0400 From: Steven Rostedt <rostedt@...dmis.org> To: Justin Stitt <justinstitt@...gle.com> Cc: Masami Hiramatsu <mhiramat@...nel.org>, Mathieu Desnoyers <mathieu.desnoyers@...icios.com>, linux-kernel@...r.kernel.org, linux-trace-kernel@...r.kernel.org, linux-hardening@...r.kernel.org, Kees Cook <kees@...nel.org> Subject: Re: [PATCH] tracing: replace multiple deprecated strncpy with strscpy On Fri, 11 Oct 2024 14:59:16 -0700 Justin Stitt <justinstitt@...gle.com> wrote: > So, assuming I haven't lost your faith, I can send a v2 along the lines of: Not yet ;-) > > 1) > strscpy(num_buf, str + s, len + 1); > > ... or > 2) > memcpy(num_buf, str + s, len); > num_buf[len] = 0; > > And if you're wondering about option 3: "Don't change anything because > the code works". I'd reiterate that I think it's important to replace > bad ambiguous APIs. There are many cases where folks use strncpy() as > a glorified memcpy because they want the padding behavior, or they use > it on non-null terminated destinations or tons of other "misuses". > Ambiguous code like that poses a real danger to the maintainability of > the codebase and opens threat vectors. I use it as a string memcpy, where it doesn't copy more than source. But I don't care about the padding. So option 2 is fine with me. -- Steve
Powered by blists - more mailing lists