| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202410141423.2C30F35EE0@keescook> Date: Mon, 14 Oct 2024 14:31:29 -0700 From: Kees Cook <kees@...nel.org> To: Justin Stitt <justinstitt@...gle.com> Cc: Steven Rostedt <rostedt@...dmis.org>, Masami Hiramatsu <mhiramat@...nel.org>, Mathieu Desnoyers <mathieu.desnoyers@...icios.com>, linux-kernel@...r.kernel.org, linux-trace-kernel@...r.kernel.org, linux-hardening@...r.kernel.org Subject: Re: [PATCH v2] tracing: replace multiple deprecated strncpy with memcpy On Mon, Oct 14, 2024 at 02:13:14PM -0700, Justin Stitt wrote: > strncpy() is deprecated for use on NUL-terminated destination strings [1] and > as such we should prefer more robust and less ambiguous string interfaces. > > String copy operations involving manual pointer offset and length > calculations followed by explicit NUL-byte assignments are best changed > to either strscpy or memcpy. > > strscpy is not a drop-in replacement as @len would need a one subtracted > from it to avoid truncating the source string. > > To not sabotage readability of the current code, use memcpy (retaining > the manual NUL assignment) as this unambiguously describes the desired > behavior. We know the destination must have a NUL-terminated string. Is the src NUL terminated? Looking at parse_pred(), it seems like no? And we can't use memtostr_pad() here because the source buffer size isn't known at compile time. Okay then. And there are no NUL bytes in the "str + s" span, so yeah, it looks like memcpy() is best. Reviewed-by: Kees Cook <kees@...nel.org> -- Kees Cook
Powered by blists - more mailing lists