On Thu, 2003-11-27 at 21:00, Russell King wrote:
> > I believe that it, to change from strcpy() to strlcpy(), just
> > eliminates possibility of buffer-overrun.
> While this is 100% correct, the bit which raised my attention was the
> original message which didn't seem to show that the above had been
Well, I can't see the difference between using strcpy() and strlcpy().
char * source;
N = strlen(source);
We could use strlcpy(destination, source, MAX) or strcpy(destination,
We have the following scenarios:
- N < MAX. In this case, both strcpy() and strlcpy() should yield the
same results. No buffer overflows. If the source strings does not
already contain uninitialised data, there's no way for strlcpy() to copy
- N >= MAX. In this case, strlcpy() will copy less bytes than strcpy().
To be exact, strlcpy() will copy N-MAX+1 bytes less than strcpy().
Again, no buffer overflows. Also, it's still impossible to copy
uninitialised data since we just stop at \0 or when we fill up the
So I don't see how using strlcpy() could copy uninitialised data from
kernel space to user space. If we used memcpy() we could end up copying
uninitialised data, but I can't see how using strlcpy() would do that.
In general terms, strlcpy() will copy *at most* the same number of bytes
as strcpy(), but there is no single case when strlcpy() will copy more
bytes than strcpy().
Can someone throw some light on this?