From owner-freebsd-security Mon Dec 16 10:53:49 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id KAA24294 for security-outgoing; Mon, 16 Dec 1996 10:53:49 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id KAA24289 for ; Mon, 16 Dec 1996 10:53:47 -0800 (PST) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id LAA19149; Mon, 16 Dec 1996 11:53:04 -0700 (MST) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id LAA09106; Mon, 16 Dec 1996 11:35:05 -0700 (MST) Date: Mon, 16 Dec 1996 11:35:05 -0700 (MST) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: Jason Downs cc: Dmitry Valdov , freebsd-security@freebsd.org Subject: Re: crontab security hole In-Reply-To: <199612161457.GAA18590@threadway.teeny.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk [removed from -bugs] On Mon, 16 Dec 1996, Jason Downs wrote: > In message , > Marc Slemko writes: > > > >It was fixed in -stable the other day by pst. The patch, pulled > >from the CVS tree, follows. > > Haven't any of you ever heard of a very simple and efficient non-stdio > routine called, of all things, strncpy()? > > It's been around for, like, ever. I'm sure that many of us have. If I was writing the patch, I would do it probably use strncpy. However, I think the reason why strncpy wasn't used is because it won't null terminate the string if it is >= the length given. It just means an extra line of code to make sure it is terminated, but I don't see it as being much more than a matter of style in this context. A few quick informal benchmarks show that strncpy is faster than snprintf in some cases and snprintf is faster than strncpy in others.