[PATCH v3] staging: android: Replace strcpy with strlcpy

SIMRAN SINGHAL singhalsimran0 at gmail.com
Sun Mar 12 14:55:28 UTC 2017


On Sun, Mar 12, 2017 at 7:04 PM, Greg KH <gregkh at linuxfoundation.org> wrote:
> On Sun, Mar 12, 2017 at 03:32:44AM +0530, simran singhal wrote:
>> Replace strcpy with strlcpy as strcpy does not check for buffer
>> overflow.
>
> Can there be a buffer overflow here?  If not, then strcpy is just fine
> to use.  Do you see a potential code path here that actually is a
> problem using this?
>
>> This is found using Flawfinder.
>
> You mean 'grep'?  :)
>
> If not, what exactly does "Flawfinder" point out is wrong with the code
> here?  At first glance, I can't find it, but perhaps the tool, and your
> audit, provided more information?
>
> thanks,
>

Flawfinder reports possible security weaknesses (“flaws”) sorted by risk level.
The risk level is shown inside square brackets and varies from 0, very
little risk,
to 5, great risk.

So, here in this case I was getting risk of [4].
This is what I got:
drivers/staging/android/ashmem.c:551:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily
  misused).

> greg k-h


More information about the devel mailing list