[ntp:hackers] Please use strlcpy(), strlcat() in NTP distribution.

Bruce Korb bruce.korb at gmail.com
Tue Apr 5 23:52:36 UTC 2011


Hi Dave,

You audited all eight calls?  Sorry you had to go through that.
It is just that, as noted, "strncpy" is brain damaged and "strlcpy"
is not widely available.....

Cheers - Bruce

On Tue, Apr 5, 2011 at 3:43 PM, Dave Hart <hart at ntp.org> wrote:
> I've converted nearly all of the strcpy() and strncpy() uses in NTP to use
> strlcpy(), and strcat() and strncat() to strlcat().  The big win is the
> strl... routines always nul-terminate the resulting string, even when
> truncating.

I consider that the big bite.  If you're truncating, then you've not got the
data you think you have.  If you don't have the data you think you have
then you're screwed.  Don't do that.

> The remaining strcpy()/strcat() calls in lib/isc and sntp/libopts have all
> been audited and have no overrun issues.

Again, thanks.  I could a told ya.....


More information about the hackers mailing list