From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H2 autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 9345 invoked from network); 23 Oct 2022 14:11:03 -0000 Received: from second.openwall.net (193.110.157.125) by inbox.vuxu.org with ESMTPUTF8; 23 Oct 2022 14:11:03 -0000 Received: (qmail 13350 invoked by uid 550); 23 Oct 2022 14:10:59 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 12285 invoked from network); 23 Oct 2022 14:10:58 -0000 Date: Sun, 23 Oct 2022 16:10:46 +0200 From: Szabolcs Nagy To: Rich Felker Cc: Ismael Luceno , musl@lists.openwall.com Message-ID: <20221023141046.GM2158779@port70.net> Mail-Followup-To: Rich Felker , Ismael Luceno , musl@lists.openwall.com References: <20221022135723.31813-1-ismael@iodev.co.uk> <20221023054622.GP29905@brightrain.aerifal.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20221023054622.GP29905@brightrain.aerifal.cx> Subject: Re: [musl] [PATCH] remove strdupa * Rich Felker [2022-10-23 01:46:22 -0400]: > On Sat, Oct 22, 2022 at 03:57:23PM +0200, Ismael Luceno wrote: > > There's no portable way to implement strdupa without double evaluation > > of it's parameter, and it's use leads to vulnerabilities, since there's > > no chance to check for stack overruns. > > > > Signed-off-by: Ismael Luceno > > --- > > include/string.h | 1 - > > 1 file changed, 1 deletion(-) > > > > diff --git a/include/string.h b/include/string.h > > index 43ad0942edd5..65fe0d503004 100644 > > --- a/include/string.h > > +++ b/include/string.h > > @@ -88,7 +88,6 @@ void explicit_bzero (void *, size_t); > > #endif > > > > #ifdef _GNU_SOURCE > > -#define strdupa(x) strcpy(alloca(strlen(x)+1),x) > > int strverscmp (const char *, const char *); > > char *strchrnul(const char *, int); > > char *strcasestr(const char *, const char *); > > -- > > 2.38.1 > > Does anyone have strong opinions one way or the other on this -- > especially distro folks who'd need to deal with the fallout? debian code search finds strdupa in 126 packages, so it is widely used and not trivial to manually fix up, i'd expect distros to just readd that definition to avoid breakage.