From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.4 Received: from second.openwall.net (second.openwall.net [193.110.157.125]) by inbox.vuxu.org (Postfix) with SMTP id DFE41217BF for ; Sun, 24 Mar 2024 18:50:36 +0100 (CET) Received: (qmail 25811 invoked by uid 550); 24 Mar 2024 17:45:53 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 25773 invoked from network); 24 Mar 2024 17:45:53 -0000 Date: Sun, 24 Mar 2024 13:50:43 -0400 From: Rich Felker To: Maks Mishin Cc: musl@lists.openwall.com Message-ID: <20240324175043.GC32430@brightrain.aerifal.cx> References: <20240324172627.29640-1-maks.mishinFZ@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240324172627.29640-1-maks.mishinFZ@gmail.com> User-Agent: Mutt/1.5.21 (2010-09-15) Subject: [musl] Re: [PATCH] wcscat: Replace call of vulnerable function On Sun, Mar 24, 2024 at 08:26:27PM +0300, Maks Mishin wrote: > Use of vulnerable function 'wcscpy' at wcscat.c:5. > This function is unsafe, use wcsncpy instead. > > Found by RASU JSC. > > Signed-off-by: Maks Mishin > --- > src/string/wcscat.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/string/wcscat.c b/src/string/wcscat.c > index d4f00ebd..b4e4b2eb 100644 > --- a/src/string/wcscat.c > +++ b/src/string/wcscat.c > @@ -2,6 +2,6 @@ > > wchar_t *wcscat(wchar_t *restrict dest, const wchar_t *restrict src) > { > - wcscpy(dest + wcslen(dest), src); > + wcsncpy(dest + wcslen(dest), src, sizeof dest); > return dest; > } > -- > 2.30.2 Wrong for same reason as the sprintf one.