| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250725-violet-mayfly-from-heaven-bd66d2@l-nschier-aarch64>
Date: Fri, 25 Jul 2025 15:00:53 +0200
From: Nicolas Schier <nicolas.schier@...ux.dev>
To: Suchit Karunakaran <suchitkarunakaran@...il.com>
Cc: masahiroy@...nel.org, linux-kbuild@...r.kernel.org,
linux-kernel@...r.kernel.org, skhan@...uxfoundation.org
Subject: Re: [PATCH] kconfig/lxdialog: replace strcpy() with strscpy() in
inputbox.c
On Fri, Jul 25, 2025 at 11:29:28AM +0530, Suchit Karunakaran wrote:
> strcpy() performs no bounds checking and can lead to buffer overflows if
> the input string exceeds the destination buffer size. Replace it with
> strscpy(), which ensures the input is always NULL-terminated and
> prevents overflows.
>
> Signed-off-by: Suchit Karunakaran <suchitkarunakaran@...il.com>
> ---
> scripts/kconfig/lxdialog/inputbox.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/scripts/kconfig/lxdialog/inputbox.c b/scripts/kconfig/lxdialog/inputbox.c
> index 3c6e24b20f5b..8880ccaffa0b 100644
> --- a/scripts/kconfig/lxdialog/inputbox.c
> +++ b/scripts/kconfig/lxdialog/inputbox.c
> @@ -40,7 +40,7 @@ int dialog_inputbox(const char *title, const char *prompt, int height, int width
> if (!init)
> instr[0] = '\0';
> else
> - strcpy(instr, init);
> + strscpy(instr, init, MAX_LEN + 1);
Did you compile-test this? strscpy() is not available for user-space.
Kind regards,
Nicolas
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists