• Linus Torvalds's avatar
    Merge branch 'strscpy' of git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile · 30c44659
    Linus Torvalds authored
    Pull strscpy string copy function implementation from Chris Metcalf.
    
    Chris sent this during the merge window, but I waffled back and forth on
    the pull request, which is why it's going in only now.
    
    The new "strscpy()" function is definitely easier to use and more secure
    than either strncpy() or strlcpy(), both of which are horrible nasty
    interfaces that have serious and irredeemable problems.
    
    strncpy() has a useless return value, and doesn't NUL-terminate an
    overlong result.  To make matters worse, it pads a short result with
    zeroes, which is a performance disaster if you have big buffers.
    
    strlcpy(), by contrast, is a mis-designed "fix" for strlcpy(), lacking
    the insane NUL padding, but having a differently broken return value
    which returns the original length of the source string.  Which means
    that it will read characters past the count from the source buffer, and
    you have to trust the source to be properly terminated.  It also makes
    error handling fragile, since the test for overflow is unnecessarily
    subtle.
    
    strscpy() avoids both these problems, guaranteeing the NUL termination
    (but not excessive padding) if the destination size wasn't zero, and
    making the overflow condition very obvious by returning -E2BIG.  It also
    doesn't read past the size of the source, and can thus be used for
    untrusted source data too.
    
    So why did I waffle about this for so long?
    
    Every time we introduce a new-and-improved interface, people start doing
    these interminable series of trivial conversion patches.
    
    And every time that happens, somebody does some silly mistake, and the
    conversion patch to the improved interface actually makes things worse.
    Because the patch is mindnumbing and trivial, nobody has the attention
    span to look at it carefully, and it's usually done over large swatches
    of source code which means that not every conversion gets tested.
    
    So I'm pulling the strscpy() support because it *is* a better interface.
    But I will refuse to pull mindless conversion patches.  Use this in
    places where it makes sense, but don't do trivial patches to fix things
    that aren't actually known to be broken.
    
    * 'strscpy' of git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile:
      tile: use global strscpy() rather than private copy
      string: provide strscpy()
      Make asm/word-at-a-time.h available on all architectures
    30c44659
Kbuild 670 Bytes