On Fri, 4 Apr 2025 08:54:33 -0400 Mathieu Desnoyers <[email protected]> wrote:
> >>> - if ((len = str_has_prefix(str, "_filter="))) > >>> - strncpy(stack_trace_filter_buf, str + len, > >>> COMMAND_LINE_SIZE); > >>> + len = str_has_prefix(str, "_filter="); > >>> + > >>> + if (len) > >>> + memcpy(stack_trace_filter_buf, str + len, > >>> sizeof(stack_trace_filter_buf)); > >> > >> Hmm, this location looks like it can just use strscpy(). > > > > Yes strscpy() also works. But since stack_trace_filter_buf is length > > bounded, shouldn't memcpy be the right choice? > > It's not only about the destination, but also about the source length. Correct. > > AFAIU, turning a strncpy into a memcpy here will overflow reading the > input @str if the input string is smaller than > sizeof(stack_trace_filter_buf) + len. The old code just read str + len and what was after it until it hit a '\0' or the COMMAND_LINE_SIZE limit. memcpy() always reads COMMAND_LINE_SIZE (which is sizeof(stack_trace_filter_buf)) and will read more of the source "str" than may exist. Which as Mathieu pointed out, is a bug. -- Steve
