Re: warning (sermon?) about strcat() from openbsd linker

Jarkko Hietaniemi wrote:
>: warning: strcat() is almost always misused, please use strlcat()

There's an interesting discussion of this group of warnings at

http://openbsd-archive.7691.n7.nabble.com/while-trying-to-compile-gettext-0-18-3-2-I-see-questionable-messages-td243464.html

The upshot of that discussion is that the warning messages don't
accurately convey the intent of the OpenBSD folks.

When writing new code, they'd like programmers to think more about
buffer overflow risks.  Using strlcat() in place of strcat() would be
a likely part of the more cautious approach; that's where the warning
message is most directly applicable.  But just using strlcat() and friends
isn't enough; it needs to be part of the programmer's overall worldview.
Buffer overruns don't arise only from the use of string library functions
but also from organic non-library C code.  The whole language makes it
very easy to make that sort of mistake.

In a large established program, such as Perl, it's too late to influence
the original programmer's worldview, and the consequent general
susceptibility of the program to buffer overflows.  Changing individual
uses of strcat() to strlcat() won't make much difference.  Here the
warning message should not be taken at face value: they say that the
warning really signals that the whole program could do with a proper audit
for buffer overflow problems.  In the absence of a comprehensive audit,
in fact, changing to strlcat() et al is a *bad* thing from the OpenBSD
point of view, because it suppresses this still-applicable warning that
the program hasn't been audited in the OpenBSD way.

Incidentally, stpcpy() gets a more strongly-worded warning, claiming
that it is "dangerous GNU crap".  This message is more problematic,
in three ways.  Firstly, the function wasn't actually invented by GNU,
though it seems that GNU is responsible for popularising it in the Unix
space.  Secondly, the message suggests that the function is intrinsically
dangerous in the kind of way that gets() is, where it's impossible to
use it correctly, which isn't the case.  Actually stpcpy() is exactly
as dangerous as strcpy(): capable of implementing buffer overflows, but
equally capable of being used correctly.  And that's the third problem
with the message: by having a different wording from the message for
strcpy() it suggests that the risk is in a different (more severe)
category, whereas actually it's exactly the same risk.

The OpenBSD people acknowledge that strcat() et al can be used correctly.
I'd expect that the Perl core generally does, just as its open-coded
string operations generally manage buffer space correctly.  However, there
almost certainly are *some* buffer overflows in the core, from arithmetic
overflow if not from plain miscounting.  These risks are not appreciably
correlated with the use of strcat() and other OpenBSD-disfavoured library
functions.  So unless we want to do a thorough audit to get the OpenBSD
stamp of approval, these warnings are pretty irrelevant to us.  We can,
and should, dismiss them as noise.

-zefram

• warning (sermon?) about strcat() from openbsd linker by Jarkko Hietaniemi
• Re: warning (sermon?) about strcat() from openbsd linker by Zefram
• Re: warning (sermon?) about strcat() from openbsd linker by Craig A. Berry
• Re: warning (sermon?) about strcat() from openbsd linker by Nicholas Clark