daniel:// stenberg://

4 weeks ago

daniel:// stenberg://
4 weeks ago

One way we work on making #curl code safer (with fewer mistakes) is by using more helper functions and fewer direct calls to *alloc() and mem/strcpy().

Since reported vulnerabilities generally are really old, we can't know yet for several years if it actually has the desired effect.

I plot the memory call density to see how it goes.

#curl

This entry was edited (4 weeks ago)

in reply to daniel:// stenberg://

daniel:// stenberg://

in reply to daniel:// stenberg:// 4 weeks ago

strncpy has been banned completely from #curl since a while back, for the same reasons

#curl

This entry was edited (4 weeks ago)

in reply to daniel:// stenberg://

SchwarzeLocke

in reply to daniel:// stenberg:// 3 weeks ago

I would also think that reduces the "attack" surface for sloppy AI reports.

in reply to SchwarzeLocke

daniel:// stenberg://

in reply to SchwarzeLocke 3 weeks ago

@SchwarzeLocke maybe. I'm not so sure. The AIs seem to be able to make things up from anything and everything.

@SchwarzeLocke

in reply to daniel:// stenberg://

Arwalk

in reply to daniel:// stenberg:// 3 weeks ago

can I ask why strncpy is banned? Isn't it supposed to be safer than strcpy?

in reply to Arwalk

@Arwalk we found strncpy too often involved in mistakes. It is not generally "safer" than strcpy because of its lack of terminating null. Also, the right answer is rarely to copy a partial string, in more cases than not the correct behavior is to return an error if the target is too small.

@Arwalk