Re: [dev] fsbm

From: Dimitris Papastamos <sin_AT_2f30.org>
Date: Fri, 7 Nov 2014 10:40:34 +0000

On Fri, Nov 07, 2014 at 11:27:35AM +0100, k0ga_AT_shike2.com wrote:
> >> I disagree, check the size before of calling strcpy. If you want to
> >> avoid security risk you also have to check the output of strlcpy
> >> to detect truncations, so you don't win anything. In both cases
> >> you have to add a comparision, so it is better to use strcpy that
> >> is standard.
> >
> > Good luck with that.
>
> You should read this:
>
> http://sourceware.org/ml/libc-alpha/2002-01/msg00147.html
>
> The full thread is really interesting. Saying that strcpy is insecure
> is the same that saying that any pointer or array index is insecure
> because you can write out of bounds.
>
> If you know the size of the array then why you don't use memcpy
> directly?.

You should approach programming with a humble mindset. strcpy() will
be followed by strcat() sometimes.

With strlcpy() and strlcat(), the conditionals are equally dumb:

if (strlcpy(dst, src, n) >= n) { ... }
if (strlcat(dst, src, n) >= n) { ... }
Received on Fri Nov 07 2014 - 11:40:34 CET

This archive was generated by hypermail 2.3.0 : Fri Nov 07 2014 - 11:48:13 CET