Re: [PATCH v3] staging: android: Replace strcpy with strlcpy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Mar 12, 2017 at 7:04 PM, Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> On Sun, Mar 12, 2017 at 03:32:44AM +0530, simran singhal wrote:
>> Replace strcpy with strlcpy as strcpy does not check for buffer
>> overflow.
>
> Can there be a buffer overflow here?  If not, then strcpy is just fine
> to use.  Do you see a potential code path here that actually is a
> problem using this?
>
>> This is found using Flawfinder.
>
> You mean 'grep'?  :)
>
> If not, what exactly does "Flawfinder" point out is wrong with the code
> here?  At first glance, I can't find it, but perhaps the tool, and your
> audit, provided more information?
>
> thanks,
>

Flawfinder reports possible security weaknesses (“flaws”) sorted by risk level.
The risk level is shown inside square brackets and varies from 0, very
little risk,
to 5, great risk.

So, here in this case I was getting risk of [4].
This is what I got:
drivers/staging/android/ashmem.c:551:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily
  misused).

> greg k-h
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel




[Index of Archives]     [Linux Driver Backports]     [DMA Engine]     [Linux GPIO]     [Linux SPI]     [Video for Linux]     [Linux USB Devel]     [Linux Coverity]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]
  Powered by Linux