This is the mail archive of the
libc-alpha@sources.redhat.com
mailing list for the glibc project.
Re: Wish for 2002 ...
- From: Paul Eggert <eggert at twinsun dot com>
- To: leclerc at austin dot sns dot slb dot com
- Cc: security-audit at ferret dot lmh dot ox dot ac dot uk, libc-alpha at sources dot redhat dot com, open-source at csl dot sri dot com
- Date: Fri, 11 Jan 2002 15:49:23 -0800 (PST)
- Subject: Re: Wish for 2002 ...
- References: <E16P0tJ-0007TI-00@the-village.bc.nu> <3C3F423E.572BF6BF@austin.sns.slb.com>
> Date: Fri, 11 Jan 2002 13:51:26 -0600
> From: Francois Leclerc <leclerc@austin.sns.slb.com>
>
> Second school: My humble, radical view point.
> run "gmake"
> run "its4", "rats" & "flawfinder"
> Eliminate all references to strcat/strcpy...
> Introduce strlcat or use alternate constructs.
Blindly replacing strcat/strcpy with strlcat/strlcpy is
counterproductive, for reasons we've already discussed.
It makes the code harder to maintain, and it is no safer
than conventional fixes.
It is certainly reasonable to use alternate constructs, though. You
might start with the function that Linus Torvalds proposed in this
thread. It can be improved -- for example, you might want to
generalize it to a single function that can handle an arbitrary number
of string arguments -- but it is a good starting point.
> This process is not constraining on the individual participants but
> will hardly help in a SSE-CMM or CC certification higher than level 1.
But _you_ are the one who wants to remove all instances of
strcpy/strcat from your code. SSE-CMM etc. do not require it.
Nor do they require replacing it with strlcpy/strlcat.
You cannot appeal directly to SSE-CMM etc. in this discussion.
You have to make your own case for your desired coding standard.
And so far, your case has been too weak to be a convincing argument
for adding these two controversial primitives to glibc.