From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.4 Received: from second.openwall.net (second.openwall.net [193.110.157.125]) by inbox.vuxu.org (Postfix) with SMTP id 89A32211EF for ; Sun, 24 Mar 2024 18:52:16 +0100 (CET) Received: (qmail 29946 invoked by uid 550); 24 Mar 2024 17:47:33 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 29912 invoked from network); 24 Mar 2024 17:47:33 -0000 Date: Sun, 24 Mar 2024 13:52:23 -0400 From: Rich Felker To: Maks Mishin Cc: musl@lists.openwall.com Message-ID: <20240324175222.GD32430@brightrain.aerifal.cx> References: <20240324173251.31346-1-maks.mishinFZ@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240324173251.31346-1-maks.mishinFZ@gmail.com> User-Agent: Mutt/1.5.21 (2010-09-15) Subject: [musl] Re: [PATCH] lookup_name: Replace call of vulnerable function On Sun, Mar 24, 2024 at 08:32:51PM +0300, Maks Mishin wrote: > Use of vulnerable function 'strcpy' at lookup_name.c:122. > This function is unsafe, use 'strncpy' instead. > > Found by RASU JSC. > > Signed-off-by: Maks Mishin > --- > src/network/lookup_name.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/network/lookup_name.c b/src/network/lookup_name.c > index 35218185..b59ec7c6 100644 > --- a/src/network/lookup_name.c > +++ b/src/network/lookup_name.c > @@ -119,7 +119,7 @@ static int dns_parse_callback(void *c, int rr, const void *data, int len, const > if (rr == RR_CNAME) { > if (__dn_expand(packet, (const unsigned char *)packet + plen, > data, tmp, sizeof tmp) > 0 && is_valid_hostname(tmp)) > - strcpy(ctx->canon, tmp); > + strncpy(ctx->canon, tmp, sizeof ctx->canon); > return 0; > } > if (ctx->cnt >= MAXADDRS) return 0; > -- > 2.30.2 The buffer is explicitly chosen with size such that any hostname fits, and the is_valid_hostname predicate checks this. This RASU JSC static analysis tool you're using seems particularly bad at its job.