Re: [PATCH net-next] net/rds: Replace deprecated strncpy() with strscpy_pad()

From: Thorsten Blum
Date: Thu Feb 20 2025 - 02:05:01 EST


On 20. Feb 2025, at 03:57, Kees Cook wrote:
> On Wed, Feb 19, 2025 at 11:47:31PM +0100, Thorsten Blum wrote:
>> strncpy() is deprecated for NUL-terminated destination buffers. Use
>> strscpy_pad() instead and remove the manual NUL-termination.
>
> When doing these conversions, please describe two aspects of
> conversions:
>
> - Why is it safe to be NUL terminated
> - Why is it safe to be/not-be NUL-padded
>
> In this case, the latter needs examination. Looking at how ctr is used,
> it is memcpy()ed later, which means this string MUST be NUL padded or it
> will leak stack memory contents.
>
> So, please use strscpy_pad() here. :)

I am using strscpy_pad() here already because of the NUL-padding.

Did you just miss that?

Thanks,
Thorsten