tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Theo chiming in on strlcpy



On Sat, Dec 21, 2013 at 08:58:32PM +0100, Marc Espie wrote:
 > > Not only have I thought about it, I've been patching insecure code as
 > > long as just about anyone. I just don't happen to agree with your
 > > dogma.
 > 
 > Well, aren't you getting tired of patching the same mistakes again
 > and again ?

If you consider

   char buf[16];
   strcpy(buf, "foo");
   strcat(buf, "/");
   strcat(buf, "bar");

a "mistake", then of course you're going to get tired of patching it
again and again. But that's not fixing security problems; it's tilting
at windmills.

You're reminding me of something Francis Glassborow posted on
comp.std.c a long time back during a similar argument:

   Coding standards are not a substitute for competence.

-- 
David A. Holland
dholland%netbsd.org@localhost


Home | Main Index | Thread Index | Old Index