On Mon, Dec 9, 2019 at 10:14 PM li zi <lubury...@hotmail.com> wrote: > > Hi All, > We are using gcc in our projects and we found some of the C standard > functions (like memcpy, strcpy) used in gcc may induce security > vulnerablities like buffer overflow. Currently we have not found any > instances which causes such issues.
Are you using GCC as a compiler or the sources of GCC to do something else? If you are using it as a compiler, GCC does NOT provide the libc functions, another project (e.g. glibc) provides those. > But we feel better to change these calls to Cll Annex K Bounds-checking > interfaces like memcpy_s, strcpy_s etc. By defining a secure calls method > (list of func pointers) and allowing application to register the method. I > understand that this affects performance because of return value check added > for xxxx_s calls, but this will relieve overflow kind of issues from code. > And also currently using bounds-checking interfaces is a general industry > practice. > Please share your opinion on it, and if any discussion happened in community > to do some changes in future. Really the _s functions are not so good and right now are optional part of the C standard and not even implemented by glibc. Plus they not so useful and there are other methods of producing similar code without them. Thanks, Andrew > > Thanks. > li > >
