From: Mitchell Blank Jr <mitch@sfgoth.com>
To: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: Sound updating, security of strlcpy and a question on pci v unload
Date: Fri, 11 Jul 2003 15:37:54 -0700 [thread overview]
Message-ID: <20030711223754.GC73897@gaz.sfgoth.com> (raw)
In-Reply-To: <Pine.LNX.4.44.0307112100240.843-100000@artax.karlin.mff.cuni.cz>
Mikulas Patocka wrote:
> What's the difference there? strlcpy always creates null-terminated
> string, strncpy doesn't. strncpy in kernel (unlike user strncpy) does not
> pad the whole destination buffer with zeros (see comment and
> implementation in lib/string.c), so I don't see any point why strncpy
> should be more secure.
Not only that, I think the point is usually moot anyway. If you're
filling in a structure to pass to userspace like:
struct whatever foo;
strncpy(foo.name, "My Driver", sizeof(foo.name));
foo.count = 1;
[...]
then you're STILL probably at risk of data leakage if "struct whatever"
requires padding on any architecture. The real fix is to make sure
that "foo" is explicitly zero'ed out first. Then strlcpy-vs-strncpy
becomes a non-issue.
I wonder if strncpy() should just be removed from the kernel since it
doesn't seem to behave consistently across architectures anyway. There's
probably only a couple places that actually ever would WANT to generate
a maybe-NUL-terminated byte array and they could just open code it.
For 95%+ of cases strlcpy() is the better API.
-Mitch
next prev parent reply other threads:[~2003-07-11 22:17 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-07-11 17:05 Sound updating, security of strlcpy and a question on pci v unload Alan Cox
2003-07-11 19:04 ` Mikulas Patocka
2003-07-11 21:45 ` SECURITY - data leakage due to incorrect strncpy implementation Alan Cox
2003-07-11 22:10 ` Alan Cox
2003-07-11 23:49 ` Paul Mackerras
2003-07-12 21:28 ` Horst von Brand
2003-07-13 8:02 ` Alan Cox
2003-07-11 22:44 ` Linus Torvalds
2003-07-11 22:50 ` Alan Cox
2004-01-29 3:11 ` Pete Zaitcev
2003-07-11 22:37 ` Mitchell Blank Jr [this message]
2003-07-12 0:08 ` Sound updating, security of strlcpy and a question on pci v unload Greg KH
-- strict thread matches above, loose matches on Subject: below --
2003-07-12 14:03 Albert Cahalan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030711223754.GC73897@gaz.sfgoth.com \
--to=mitch@sfgoth.com \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=mikulas@artax.karlin.mff.cuni.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox