Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) client-ip=23.128.96.38;
Date:   Thu, 19 Oct 2023 08:49:34 +0700
From:   Bagas Sanjaya <bagasdotme@gmail.com>
To:     James Dutton <james.dutton@gmail.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Cc:     Justin Stitt <justinstitt@google.com>,
        Calvince Otieno <calvncce@gmail.com>,
        Azeem Shaikh <azeemshaikh38@gmail.com>
Subject: Re: Is strncpy really less secure than strscpy ?
Message-ID: <ZTCLLinnaqIILXsJ@debian.me>
References: <CAAMvbhG40h6pqSf91BurDHQqeoKfP30bwnpvSDRHBN4Hoygqew@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
        protocol="application/pgp-signature"; boundary="tKwvtRMdeA05vy2V"
Content-Disposition: inline
In-Reply-To: <CAAMvbhG40h6pqSf91BurDHQqeoKfP30bwnpvSDRHBN4Hoygqew@mail.gmail.com>
Precedence: bulk


--tKwvtRMdeA05vy2V
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

[Disclaimer: I have little to no knowledge of C, so things may be wrong.
 Please correct me if it is the case. Also Cc: recent people who work on
 strscpy() conversion.]

On Thu, Oct 19, 2023 at 12:22:33AM +0100, James Dutton wrote:
> Is strncpy really less secure than strscpy ?
>=20
> If one uses strncpy and thus put a limit on the buffer size during the
> copy, it is safe. There are no writes outside of the buffer.
> If one uses strscpy and thus put a limit on the buffer size during the
> copy, it is safe. There are no writes outside of the buffer.

Well, assuming that the string is NUL-terminated, the end result should
be the same.

> But, one can fit more characters in strncpy than strscpy because
> strscpy enforces the final \0 on the end.
> One could argue that strncpy is better because it might save the space
> of one char at the end of a string array.
> There are cases where strncpy might be unsafe. For example copying
> between arrays of different sizes, and that is a case where strscpy
> might be safer, but strncpy can be made safe if one ensures that the
> size used in strncpy is the smallest of the two different array sizes.

Code example on both cases?

>=20
> If one blindly replaces strncpy with strscpy across all uses, one
> could unintentionally be truncating the results and introduce new
> bugs.
>=20
> The real insecurity surely comes when one tries to use the string.
> For example:
>=20
> #include <stdio.h>
> #include <string.h>
>=20
> int main() {
>         char a[10] =3D "HelloThere";
>         char b[10];
>         char c[10] =3D "Overflow";
>         strncpy(b, a, 10);
>         /* This overflows and so in unsafe */
>         printf("a is  %s\n", a);
>         /* This overflows and so in unsafe */
>         printf("b is  %s\n", b);
>         /* This is safe */
>         printf("b is  %.*s\n", 10, a);
>         /* This is safe */
>         printf("b is  %.*s\n", 4, a);
>         return 0;
> }

What if printf("a is  %.*s\n", a);?

>=20
>=20
> So, why isn't the printk format specifier "%.*s" used more instead of
> "%s" in the kernel?

Since basically strings are pointers.

Thanks.

--=20
An old man doll... just what I always wanted! - Clara

--tKwvtRMdeA05vy2V
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEABYKAB0WIQSSYQ6Cy7oyFNCHrUH2uYlJVVFOowUCZTCLKgAKCRD2uYlJVVFO
o9/jAQDxz8zc/tgvMo6cWqte0hMIsNfZEoiluRsauKgj8HXQtAEAmY6JIt5OKSZH
EhJ0mAM4hbMXWaYEBQCjwwU045aB5wo=
=Frs5
-----END PGP SIGNATURE-----

--tKwvtRMdeA05vy2V--