Wireshark · Ethereal-dev: Re: [Ethereal-dev] strcpy harmful, what?

[Andrew Hood <ajhood@xxxxxxxxx>]

Guy Harris wrote:
> Rich Coe wrote:
> 
>> I think that replacing strcpy with a library function that (eventually)
>> calls strcpy (strncpy)
> 
> 
> If any snprintf-like function calls strcpy() on %s strings, it's buggy,
> so that probably should be stated as "that (eventually) calls strncpy or
> strlcpy".  Replacing calls to strcpy() or strcat() is neither pointless
> nor stupid unless the calls in question have done *correct* bounds
> checking already, and it's probably a bit error prone either to
> 
>     1) require that the bounds checks be done correctly (as you have to
> check how much space is left in the string)
> 
> or even
> 
>     2) require that they be done at all.
> 
> One might argue that using strlcpy() and strlcat() would be better than
> using snprintf() or g_snprintf(); to do that, we'd have to supply our
> own strlcpy() and strlcat() if the platform for which we're building
> doesn't have them.

So include it (unless you have a problem with the BSD-style license),
and let configure decide if it needs to be compiled. Quote:

Availability

The source code for strlcpy() and strlcat() is available free of charge
and under a BSD-style license as part of the OpenBSD operating system.
You may also download the code and its associated manual pages via
anonymous ftp from ftp.openbsd.org in the directory
/pub/OpenBSD/src/lib/libc/string. The source code for strlcpy() and
strlcat() is in strlcpy.c and strlcat.c. The documentation (which uses
the tmac.doc troff macros) may be found in strlcpy.3.

-- 
There's no point in being grown up if you can't be childish sometimes.
                -- Dr. Who