don't forget the hilariously dangerous strcpy that they "fixed" with strncpy, wh... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		olliej on Nov 22, 2022 \| parent \| context \| favorite \| on: Why CVE-2022-3602 was not detected by fuzz testing don't forget the hilariously dangerous strcpy that they "fixed" with strncpy, which would happily create unterminated strings, so has was fixed again with strlcpy. At least std::string doesn't have these problems (it has its own issues because the anemic API surface means you keep needing C APIs that require null termination)

saagarjha on Nov 22, 2022 [–]

Slapping strlcpy on everything, as some codebases/companies have taken to doing, is a poor fix. The proper fix is not quite shipping yet, but you can build your own out of memccpy if you'd like. (Of course, at the risk of doing it wrong…)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact