cvs commit: src/sys/kern subr_bus.c subr_rman.c vfs_subr.c
src/sys/net if_mib.c src/sys/netinet ip_divert.c raw_ip.c
udp_usrreq.c
John-Mark Gurney
gurney_j at resnet.uoregon.edu
Thu May 5 23:20:18 PDT 2005
Warner Losh wrote this message on Thu, May 05, 2005 at 23:22 -0600:
> In message: <20050506032202.GC2670 at funkthat.com>
> John-Mark Gurney <gurney_j at resnet.uoregon.edu> writes:
> : Colin Percival wrote this message on Fri, May 06, 2005 at 02:48 +0000:
> : > cperciva 2005-05-06 02:48:21 UTC
> : >
> : > FreeBSD src repository
> : >
> : > Modified files:
> : > sys/kern subr_bus.c subr_rman.c vfs_subr.c
> : > sys/net if_mib.c
> : > sys/netinet ip_divert.c raw_ip.c udp_usrreq.c
> : > Log:
> : > If we are going to
> : > 1. Copy a NULL-terminated string into a fixed-length buffer, and
> : > 2. copyout that buffer to userland,
> : > we really ought to
> : > 0. Zero the entire buffer
> : > first.
> : >
> : > Security: FreeBSD-SA-05:08.kmem
> :
> : /me notes this is a good reason to use strncpy instead of strlcpy.
>
> Don't you mean the opposite?
Nope, from strncpy(3):
The strncpy() copies not more than len characters into dst, appending
`\0' characters if src is less than len characters long,
This is a little bit terse, but strncpy NUL pads the remaining buffer,
unlike strlcpy which leaves any unused bytes untouched... And yes, our
libkern version of strncpy does do this:
/* NUL pad the remaining n-1 bytes */
while (--n != 0)
*d++ = 0;
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the cvs-src
mailing list