Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://hachyderm.io/users/dalias/statuses/113802276913553096">Rich Felker (dalias@hachyderm.io)'s status on Friday, 10-Jan-2025 13:55:39 JST</a><a href="https://hachyderm.io/@dalias" title="dalias@hachyderm.io"><img src="https://gnusocial.jp/avatar/40873-48-20221207231635.webp" width="48" height="48" alt="Rich Felker" style="position: absolute; left: 0; top: 0;">Rich Felker</a><div><a href="https://infosec.exchange/@da_667/113802211718935393" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><p><a href="https://infosec.exchange/@da_667">@da_667</a> LMAO this os exactly why the MSVC "secure"/Annex K interfaces are utterly useless. Passing the wrong size twice is no more a deterrent than passing the wrong size once.</p><p>(FWIW strncpy is also the wrong thing to use here, as it's for null padded buffers not null terminated and will fail to terminate when buffer is full. It can be used to construct thr right thing but that's not its purpose and it's not well suited.)</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4346078#notice-8497792">In conversation</a><time datetime="2025-01-10T13:55:39+09:00" title="Friday, 10-Jan-2025 13:55:39 JST">about a month ago</time> <span>from <span><a href="https://hachyderm.io/@dalias/113802276913553096" rel="external" title="Sent from hachyderm.io via ActivityPub">hachyderm.io</a></span></span><a href="https://hachyderm.io/@dalias/113802276913553096">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/3880974">Screenshot from above replied to article:Oof! The developer has (rightly) used strncpy, instead of the unsafe strcpy, but has mistakenly passed in the size of the input string - notthe size of the destination buffer - as the size Iagly®</a></label><br><a href="https://media.hachyderm.io/media_attachments/files/113/802/267/487/560/055/original/3ed854132249fc28.png" rel="external">https://media.hachyderm.io/media_attachments/files/113/802/267/487/560/055/original/3ed854132249fc28.png</a></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Friday, 10-Jan-2025 13:55:39 JSTRich Felker
in reply to
- da_667
@da_667 LMAO this os exactly why the MSVC "secure"/Annex K interfaces are utterly useless. Passing the wrong size twice is no more a deterrent than passing the wrong size once.
(FWIW strncpy is also the wrong thing to use here, as it's for null padded buffers not null terminated and will fail to terminate when buffer is full. It can be used to construct thr right thing but that's not its purpose and it's not well suited.)
In conversationabout a month ago from hachyderm.iopermalink
Attachments
1. Screenshot from above replied to article: Oof! The developer has (rightly) used strncpy, instead of the unsafe strcpy, but has mistakenly passed in the size of the input string - notthe size of the destination buffer - as the size Iagly®
  https://media.hachyderm.io/media_attachments/files/113/802/267/487/560/055/original/3ed854132249fc28.png

Public

Embed Notice

HTML Code

Corresponding Notice