> Seems it is ok to use strlcat/strlcpy that way in some cases:
> $ cat src/usr.sbin/smtpd/*.c | egrep -c ' strlc(at|py)\('
> 249Hi Claus @ Sendmail [come on, your employeer matters when you point at code like this, you know better] smtpd is a new project. The 2-3 developers working on it should do better, indeed. I hope they fix them all in 48 hours. All of those calls should do something with the range check result, or if truncation is determined to be the desired & safe condition, be annotated with (void) to indicate an audit has occured. That is best practice. On the other hand, the 2-decade OpenSSL group has a massive commercial userbase, and this problem was allowed to persist. Commit history shows it has been getting worse, not better. Look at the OpenSSL list I posted again. Some of those are using sizeof(src). Shall you and I make a bet about when OpenSSL has all these calls fixed to check for overflow and truncation?
