Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932943AbbD1DtG (ORCPT <rfc822;w@1wt.eu>);
	Mon, 27 Apr 2015 23:49:06 -0400
Received: from zeniv.linux.org.uk ([195.92.253.2]:40648 "EHLO
	ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752859AbbD1DtD (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 27 Apr 2015 23:49:03 -0400
Date: Tue, 28 Apr 2015 04:48:59 +0100
From: Al Viro <viro@ZenIV.linux.org.uk>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Fabian Frederick <fabf@skynet.be>, linux-kernel@vger.kernel.org
Subject: revert "fs/befs/linuxvfs.c: replace strncpy by strlcpy"
Message-ID: <20150428034859.GI889@ZenIV.linux.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1824
Lines: 37

commit 39d7a29f867bd5a4a551fad6bb3812ceddb0bce1
Author: Fabian Frederick <fabf@skynet.be>
Date:   Fri Jun 6 14:36:15 2014 -0700

    fs/befs/linuxvfs.c: replace strncpy by strlcpy
    
    strncpy + end of string assignment replaced by strlcpy

replaces perfectly safe code with undefined behaviour.  All in the name
of "security hardening", presumably.  Folks, seeing the words "designed to be
safer, more consistent, and less error prone replacement" in a manpage does
*NOT* mean "OK, quit reading it - no need to go further, not even to the end
of the paragraph".  Because in the end of that paragraph it says "This means
that for strlcpy() src must be NUL-terminated".  And sure enough, our
implementation relies on that - it starts with strlen().

strncpy() is guaranteed not to look further than size.  strlcpy() is *NOT*.
strncpy() on unvalidated source is safe, provided that you sanitize the copy;
strlcpy() on anything like that is an invitation for nasal daemons.

Sure, we can (and probably should) make strlcpy(dst, src, n) never access
memory beyond src + n - 1, but this kind of cargo-culting is a Bad Thing(tm);
mindless "security improvements" without so much as bothering to RTFM are
asking for trouble.  And in userland code anything like that _can't_ be
papered over afterwards - not unless you can patch every libc implementation
out there.

This particular code is completely pointless - if anything, it should've been
memcpy() + nd_terminate_link()...

Al, very unhappy about the prospect of looking through ~2000 calls of strlcpy()
we have in the tree...
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/