Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20221023141046.GM2158779@port70.net>
Date: Sun, 23 Oct 2022 16:10:46 +0200
From: Szabolcs Nagy <nsz@...t70.net>
To: Rich Felker <dalias@...c.org>
Cc: Ismael Luceno <ismael@...ev.co.uk>, musl@...ts.openwall.com
Subject: Re: [PATCH] remove strdupa

* Rich Felker <dalias@...c.org> [2022-10-23 01:46:22 -0400]:
> On Sat, Oct 22, 2022 at 03:57:23PM +0200, Ismael Luceno wrote:
> > There's no portable way to implement strdupa without double evaluation
> > of it's parameter, and it's use leads to vulnerabilities, since there's
> > no chance to check for stack overruns.
> > 
> > Signed-off-by: Ismael Luceno <ismael@...ev.co.uk>
> > ---
> >  include/string.h | 1 -
> >  1 file changed, 1 deletion(-)
> > 
> > diff --git a/include/string.h b/include/string.h
> > index 43ad0942edd5..65fe0d503004 100644
> > --- a/include/string.h
> > +++ b/include/string.h
> > @@ -88,7 +88,6 @@ void explicit_bzero (void *, size_t);
> >  #endif
> >  
> >  #ifdef _GNU_SOURCE
> > -#define	strdupa(x)	strcpy(alloca(strlen(x)+1),x)
> >  int strverscmp (const char *, const char *);
> >  char *strchrnul(const char *, int);
> >  char *strcasestr(const char *, const char *);
> > -- 
> > 2.38.1
> 
> Does anyone have strong opinions one way or the other on this --
> especially distro folks who'd need to deal with the fallout?

debian code search finds strdupa in 126 packages,
so it is widely used and not trivial to manually fix up,
i'd expect distros to just readd that definition to avoid breakage.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.