|
|
Subscribe / Log in / New account

Better code searching for Debian

Better code searching for Debian

Posted Jan 8, 2015 21:59 UTC (Thu) by dfsmith (guest, #20302)
In reply to: Better code searching for Debian by JGR
Parent article: Better code searching for Debian

Note that strlcpy() has an information leak that strncpy() doesn't have. (Fill remaining buffer with '\0': guaranteed for strncpy(), not mentioned for strlcpy().)

to post comments

Better code searching for Debian

Posted Jan 8, 2015 22:43 UTC (Thu) by zlynx (guest, #2285) [Link]

That isn't an information leak. It's a feature.

I know its a feature because I switched some code from strncpy to strlcpy because profiling showed writing the zeros into an 8KB URL string buffer was wasting a LOT of time.

If you are worried about information leaks then you need to be using a security library and it needs to be written in ASM because compilers are too likely to optimize all the security features away. For example, unless a value is volatile the compiler can remove all writes to it if nothing reads it before destroying it.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds