| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CCF15545-8AF8-40A8-917C-E44B6373D9AE@kernel.org> Date: Thu, 20 Feb 2025 00:54:38 -0800 From: Kees Cook <kees@...nel.org> To: Thorsten Blum <thorsten.blum@...ux.dev> CC: Allison Henderson <allison.henderson@...cle.com>, "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>, linux-hardening@...r.kernel.org, netdev@...r.kernel.org, linux-rdma@...r.kernel.org, rds-devel@....oracle.com, linux-kernel@...r.kernel.org Subject: Re: [PATCH net-next] net/rds: Replace deprecated strncpy() with strscpy_pad() On February 19, 2025 11:04:18 PM PST, Thorsten Blum <thorsten.blum@...ux.dev> wrote: >On 20. Feb 2025, at 03:57, Kees Cook wrote: >> On Wed, Feb 19, 2025 at 11:47:31PM +0100, Thorsten Blum wrote: >>> strncpy() is deprecated for NUL-terminated destination buffers. Use >>> strscpy_pad() instead and remove the manual NUL-termination. >> >> When doing these conversions, please describe two aspects of >> conversions: >> >> - Why is it safe to be NUL terminated >> - Why is it safe to be/not-be NUL-padded >> >> In this case, the latter needs examination. Looking at how ctr is used, >> it is memcpy()ed later, which means this string MUST be NUL padded or it >> will leak stack memory contents. >> >> So, please use strscpy_pad() here. :) > >I am using strscpy_pad() here already because of the NUL-padding. > >Did you just miss that? Well that's embarrassing. Yes, I must need stronger glasses. *sigh* Apologies for the noise! Reviewed-by: Kees Cook <kees@...nel.org> -- Kees Cook
Powered by blists - more mailing lists