Re: Sound updating, security of strlcpy and a question on pci v unload

Mitchell Blank Jr (mitch@sfgoth.com)
Fri, 11 Jul 2003 15:37:54 -0700


Mikulas Patocka wrote:
> What's the difference there? strlcpy always creates null-terminated
> string, strncpy doesn't. strncpy in kernel (unlike user strncpy) does not
> pad the whole destination buffer with zeros (see comment and
> implementation in lib/string.c), so I don't see any point why strncpy
> should be more secure.

Not only that, I think the point is usually moot anyway. If you're
filling in a structure to pass to userspace like:

struct whatever foo;
strncpy(foo.name, "My Driver", sizeof(foo.name));
foo.count = 1;
[...]

then you're STILL probably at risk of data leakage if "struct whatever"
requires padding on any architecture. The real fix is to make sure
that "foo" is explicitly zero'ed out first. Then strlcpy-vs-strncpy
becomes a non-issue.

I wonder if strncpy() should just be removed from the kernel since it
doesn't seem to behave consistently across architectures anyway. There's
probably only a couple places that actually ever would WANT to generate
a maybe-NUL-terminated byte array and they could just open code it.
For 95%+ of cases strlcpy() is the better API.

-Mitch
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/