Ticket #5750 (new defect)

SVN Diffs for #5750

 

Opened 2 years ago

Last modified 6 months ago

Use of strcat, strcpy should be replaced with strlcat, strlcpy

Reported by: deborah Assigned to: pedberg
Priority: assess Milestone: UNSCH
Component: others Version: Current
Keywords: Cc:
Load: Xref: 5353
Java Version: Operating System:
Project (C/J): ICU4C Weeks:
Review:

Description

For security reasons (e.g., buffer overflow attacks), use of unbounded strcat and strcpy should be replaced with the bounded versions (strlcat, strlcpy). Both are part of the standard C library.

Attachments

Change History

06/23/07 09:48:15 changed by grhoten

  • owner changed from somebody to deborah.
  • priority changed from critical to major.
  • component changed from unknown to others.

It is incorrect to state that these functions are a part of the standard C library. These functions are only available on BSD OS variants (OpenBSD 2.4 or later and FreeBSD 3.3 or later). They are not available on Linux or Windows.

Visual Studio 2005 does have functions like strcat_s, strcpy_s, strncat_s and strncpy_s, but the arguments are in a different order. Compiler warnings about using strcpy and strcat are hidden by defining _CRT_SECURE_NO_DEPRECATE.

C does have strncat and strncpy.

I agree that this type of feature would be good to have, but it's not going to be as simple as you think. ICU could either use a macro to use the platform dependent version of this function, or the functions will have to be written from scratch in cstring.h/c. The latter option would guarantee platform independent behavior, and it would always be available.

06/23/07 09:57:55 changed by grhoten

  • xref set to 5353.

07/10/08 11:14:38 changed by yoshito

  • priority changed from major to assess.

07/10/08 14:47:50 changed by deborah

  • owner changed from deborah to pedberg.

Add/Change #5750 (Use of strcat, strcpy should be replaced with strlcat, strlcpy)




Anti spam check: