On February 19, 2025 11:04:18 PM PST, Thorsten Blum <thorsten.blum@xxxxxxxxx> wrote: >On 20. Feb 2025, at 03:57, Kees Cook wrote: >> On Wed, Feb 19, 2025 at 11:47:31PM +0100, Thorsten Blum wrote: >>> strncpy() is deprecated for NUL-terminated destination buffers. Use >>> strscpy_pad() instead and remove the manual NUL-termination. >> >> When doing these conversions, please describe two aspects of >> conversions: >> >> - Why is it safe to be NUL terminated >> - Why is it safe to be/not-be NUL-padded >> >> In this case, the latter needs examination. Looking at how ctr is used, >> it is memcpy()ed later, which means this string MUST be NUL padded or it >> will leak stack memory contents. >> >> So, please use strscpy_pad() here. :) > >I am using strscpy_pad() here already because of the NUL-padding. > >Did you just miss that? Well that's embarrassing. Yes, I must need stronger glasses. *sigh* Apologies for the noise! Reviewed-by: Kees Cook <kees@xxxxxxxxxx> -- Kees Cook
