On Fri, Sep 02, 2022 at 08:53:34AM +0700, Bagas Sanjaya wrote:
> On 9/2/22 02:09, Kees Cook wrote:
> > One of the "legitimate" uses of strncpy() is copying a NUL-terminated
> > string into a fixed-size non-NUL-terminated character array. To avoid
> > the weaknesses and ambiguity of intent when using strncpy(), provide
> > replacement functions that explicitly distinguish between trailing
> > padding and not, and require the destination buffer size be discoverable
> > by the compiler.
> >> For example:
> >
> > struct obj {
> > int foo;
> > char small[4] __nonstring;
> > char big[8] __nonstring;
> > int bar;
> > };
> >
> > struct obj p;
> >
> > /* This will truncate to 4 chars with no trailing NUL */
> > strncpy(p.small, "hello", sizeof(p.small));
> > /* p.small contains 'h', 'e', 'l', 'l' */
> >
> > /* This will NUL pad to 8 chars. */
> > strncpy(p.big, "hello", sizeof(p.big));
> > /* p.big contains 'h', 'e', 'l', 'l', 'o', '\0', '\0', '\0' */
> >
> > When the "__nonstring" attributes are missing, the intent of the
> > programmer becomes ambiguous for whether the lack of a trailing NUL
> > in the p.small copy is a bug. Additionally, it's not clear whether
> > the trailing padding in the p.big copy is _needed_. Both cases
> > become unambiguous with:
> >
> > strtomem(p.small, "hello");
> > strtomem_pad(p.big, "hello", 0);
> >
> > See also https://github.com/KSPP/linux/issues/90
> >
>
> Should'nt strscpy() do the job?
strscpy() will always NUL-terminate. If someone is moving a
NUL-terminated string to a fixed-length buffer (that is _not_
NUL-terminated), using strscpy() will force the final byte to be 0x00,
which will likely be a regression. For example:
struct wifi_driver {
...
char essid[8];
...
};
struct wifi_driver fw;
char *essed = "12345678";
strncpy(fw.essid, essid, sizeof(fw.essid));
fw.essid will contain: 1 2 3 4 5 6 7 8
strscpy(fw.essid, essid, sizeof(fw.essid)):
fw.essid will contain: 1 2 3 4 5 6 7 '\0'
--
Kees Cook
