On Fri, Nov 07, 2014 at 11:27:35AM +0100, k...@shike2.com wrote:
> >> I disagree, check the size before of calling strcpy. If you want to
> >> avoid security risk you also have to check the output of strlcpy
> >> to detect truncations, so you don't win anything. In both cases
> >> you have to add a comparision, so it is better to use strcpy that
> >> is standard.
> >
> > Good luck with that.
>
> You should read this:
>
> http://sourceware.org/ml/libc-alpha/2002-01/msg00147.html
>
> The full thread is really interesting. Saying that strcpy is insecure
> is the same that saying that any pointer or array index is insecure
> because you can write out of bounds.
>
> If you know the size of the array then why you don't use memcpy
> directly?.
You should approach programming with a humble mindset. strcpy() will
be followed by strcat() sometimes.
With strlcpy() and strlcat(), the conditionals are equally dumb:
if (strlcpy(dst, src, n) >= n) { ... }
if (strlcat(dst, src, n) >= n) { ... }
