From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from albireo.enyo.de (albireo.enyo.de [37.24.231.21]) by sourceware.org (Postfix) with ESMTPS id A73D4385842A for ; Thu, 6 Apr 2023 21:35:48 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org A73D4385842A Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=deneb.enyo.de Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=deneb.enyo.de Received: from [172.17.203.2] (port=39707 helo=deneb.enyo.de) by albireo.enyo.de ([172.17.140.2]) with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) id 1pkXGk-009KIy-Fv; Thu, 06 Apr 2023 21:35:46 +0000 Received: from fw by deneb.enyo.de with local (Exim 4.96) (envelope-from ) id 1pkXGk-0009Hg-1D; Thu, 06 Apr 2023 23:35:46 +0200 From: Florian Weimer To: Alejandro Colomar via Libc-alpha Cc: Alejandro Colomar Subject: Re: [PATCH 1/2] Implement strlcpy and strlcat [BZ #178] References: <8513afd6-e276-05d5-bc4c-0722de71e0af@gmail.com> Date: Thu, 06 Apr 2023 23:35:46 +0200 In-Reply-To: <8513afd6-e276-05d5-bc4c-0722de71e0af@gmail.com> (Alejandro Colomar via Libc-alpha's message of "Thu, 6 Apr 2023 23:21:51 +0200") Message-ID: <87fs9cn171.fsf@mid.deneb.enyo.de> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Status: No, score=-5.8 required=5.0 tests=BAYES_00,KAM_DMARC_STATUS,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: * Alejandro Colomar via Libc-alpha: >> + size_t src_length = strlen (src); >> + >> + /* Our implementation strlcat supports dest == NULL if size == 0 >> + (for consistency with snprintf and strlcpy), but strnlen does >> + not, so we have to cover this case explicitly. */ >> + if (size == 0) >> + return src_length; >> + >> + size_t dest_length = __strnlen (dest, size); > > The OpenBSD contract of strlcat(3) includes that _both_ the source > string and the destination strings are NULL-terminated. I guess > POSIX has kept that contract. If that's the case, we can just call > strlen(3) here. NetBSD says this: | Note however, that if strlcat() traverses size characters without | finding a NUL, the length of the string is considered to be size and | the destination string will not be NUL-terminated (since there was | no space for the NUL). This keeps strlcat() from running off the | end of a string. In practice this should not happen (as it means | that either size is incorrect or that dst is not a proper ``C'' | string). The check exists to prevent potential security problems in | incorrect code. OpenBSD alludes to this as well: | strlcat() appends string src to the end of dst. It will append at | most dstsize - strlen(dst) - 1 characters. It will then | NUL-terminate, unless dstsize is 0 or the original dst string was | longer than dstsize (in practice this should not happen as it means | that either dstsize is incorrect or that dst is not a proper | string). So I think we should be calling strnlen here. If we call strlen instead, we'd have to bound the result. Thanks, Florian