fortify source question

thorsten fly_b747 at gmx.de
Sun Jan 18 02:28:29 PST 2009


Robert Connolly wrote:
> For reasons I'm not aware of, Glibc allows buffer checking to go over the 
> mark. I assume they are aware of it, but I have not checked into it. Libssp 
> is more strict.
> 
> robert

Thanks for the info, I will rebuild with libssp. One thing I found out
trying to investigate the mentioned issue:

Looking at the asm compiler output from gcc -S strcpy-overflow.c,
gcc-4.3.2 seems to optimize the call to strcpy in a way, that there is
no need for the call at all. Which in turn means, there can be no
fortify source warning and no replacement with __strcpy_chk.

thorsten



More information about the hlfs-dev mailing list