On Fri, 2006-09-22 at 13:10 +0530, Siju George wrote: > On 9/22/06, Sharninder <[EMAIL PROTECTED]> wrote: > > > # make > > > cc -c sleezeball.c > > > sleezeball.c:79: warning: conflicting types for built-in function `log' > > > cc -o sleezeball sleezeball.o > > > sleezeball.o(.text+0xd0): In function `log': > > > : warning: vsprintf() is often misused, please use vsnprintf() > > > sleezeball.o(.text+0x5d): In function `get_date': > > > : warning: strcpy() is almost always misused, please use strlcpy() > > > # cd /usr/ports/ > > > # make search name=sleezeball > > > # > > > ======================================================================== > > > > > > Are these warnings ok? Is it really bad security to use this Software? > > > > > > > strcpy and friends are known to be prone to buffer overflow and other > > such vulnerabilities. Security experts therefore advise using variants > > like strlcpy and friends. OpenBSD, being more security conscious, > > probably has these warning enabled by default and that is why you're > > getting them while issuing a simple make. > > > Thankyou so much Sharninder for your reply :-) > > So is there some technique to mass convert all strcpy() in code to strlcpy()? >
Actually, its not so easy. strcpy and strlcpy (or strncpy) have a slightly different syntax, so the developer will probably have to make a few more changes to his app. Specifically: strcpy is: char *strcpy(char *dest, const char *src); and strlcpy and strncpy are: size_t strlcpy(char *dst, const char *src, size_t size); so, the both are quite different and strlcpy is not a drop-in replacement for strcpy. You can probably still use the app if you're not as paranoid as most OpenBSD folks ;) -- Sharninder _______________________________________________ bsd-india mailing list [email protected] http://www.bsd-india.org/mailman/listinfo/bsd-india
