From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.4 Received: from second.openwall.net (second.openwall.net [193.110.157.125]) by inbox.vuxu.org (Postfix) with SMTP id EFF1F20DCC for ; Sun, 24 Mar 2024 18:46:55 +0100 (CET) Received: (qmail 17944 invoked by uid 550); 24 Mar 2024 17:42:12 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 17908 invoked from network); 24 Mar 2024 17:42:12 -0000 Date: Sun, 24 Mar 2024 13:47:02 -0400 From: Rich Felker To: Maks Mishin Cc: musl@lists.openwall.com Message-ID: <20240324174702.GB32430@brightrain.aerifal.cx> References: <20240324170732.26096-1-maks.mishinFZ@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240324170732.26096-1-maks.mishinFZ@gmail.com> User-Agent: Mutt/1.5.21 (2010-09-15) Subject: [musl] Re: [PATCH] wcpcpy: Replace call of vulnerable function On Sun, Mar 24, 2024 at 08:07:32PM +0300, Maks Mishin wrote: > Use of vulnerable function 'wcscpy' at wcpcpy.c:5. > This function is unsafe, use 'wcsncpy' instead. > > Found by RASU JSC. > > Signed-off-by: Maks Mishin > --- > src/string/wcpcpy.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/string/wcpcpy.c b/src/string/wcpcpy.c > index ef401343..53a29a99 100644 > --- a/src/string/wcpcpy.c > +++ b/src/string/wcpcpy.c > @@ -2,5 +2,5 @@ > > wchar_t *wcpcpy(wchar_t *restrict d, const wchar_t *restrict s) > { > - return wcscpy(d, s) + wcslen(s); > + return wcsncpy(d, s, sizeof d) + wcslen(s); > } > -- > 2.30.2 Also wrong for the exact same reasons as the sprintf one. Rich