On Fri, Nov 7, 2014, at 02:03, k0ga_AT_shike2.com wrote:
> I disagree, check the size before of calling strcpy. If you want to
> avoid security risk you also have to check the output of strlcpy
> to detect truncations, so you don't win anything. In both cases
> you have to add a comparision, so it is better to use strcpy that
> is standard.
There are numerous scenarios where an overflow has security implications
but a truncation does not. For example, if an attacker can supply any
string, they could supply the shorter one to begin with, and therefore
don't benefit from truncation.
Received on Sat Nov 08 2014 - 16:04:20 CET
This archive was generated by hypermail 2.3.0
: Sat Nov 08 2014 - 16:12:09 CET