lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <620FC0E4-E745-429B-BF16-BCC2D5924E1D@linux.dev>
Date: Wed, 19 Nov 2025 02:23:01 +0100
From: Thorsten Blum <thorsten.blum@...ux.dev>
To: David Laight <david.laight.linux@...il.com>
Cc: Namjae Jeon <linkinjeon@...nel.org>,
 Steve French <smfrench@...il.com>,
 Sergey Senozhatsky <senozhatsky@...omium.org>,
 Tom Talpey <tom@...pey.com>,
 linux-cifs@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ksmbd: Replace strcpy + strcat with scnprintf in
 convert_to_nt_pathname

On 18. Nov 2025, at 23:35, David Laight wrote:
> On Tue, 18 Nov 2025 13:25:56 +0100
> Thorsten Blum <thorsten.blum@...ux.dev> wrote:
> 
>> strcpy() is deprecated and using strcat() is discouraged; use the safer
>> scnprintf() instead.  No functional changes.
>> 
>> Link: https://github.com/KSPP/linux/issues/88
>> Signed-off-by: Thorsten Blum <thorsten.blum@...ux.dev>
>> ---
>> [...]
> 
> Ugg...
> If nothing else non-constant formats are definitely frowned upon.
> Never mind the non-trivial cpu cost of printf.
> 
> OTOH once you've got the string length, just use memcpy().
> That way you know you won't overflow the malloc buffer even
> if someone changes the string on you.

Ok, I'll submit a v2.

Thanks,
Thorsten

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ