0sjfoij...@firemail.cc wrote:
> Recently on LCA2019, Joel Sing made a presentation about "Security
> Vulnerability Mitigations"[1]
> (very good, btw). He suggests function strlcpy(3) as a secure API.
> In the same conference, though, Kees Cook ("Making C Less Dangerous in
> the Linux kernel"[2]),
> recommends strscpy() as more secure. So, my question is: what's the
> best to use?
>
> Thanks in advance.
>
>
> [1] https://youtube.com/watch?v=9-uNC4-RbQM
> [2] https://youtube.com/watch?v=FY9SbqTO5GQ
Take note:
The return value is the number of characters copied (without the
trailing NUL byte) - unless the string would not fit into dest, in which
case the return value is -E2BIG.
1) It is a linux kernel API only, it does not show up anywhere in userland
2) As it is, it will never go into the standard C library, because that
return-value scheme is outside of scope, in particular for a string function
strlcpy has significant deployment, and noone is worried about it being
being "insecure".
The NIH is obviously very strong in linux land.
