Usage of C11 Annex K Bounds-checking interfaces on GCC
Tue Dec 10 06:22:00 GMT 2019
On Mon, Dec 9, 2019 at 10:14 PM li zi <firstname.lastname@example.org> wrote:
> Hi All,
> We are using gcc in our projects and we found some of the C standard functions (like memcpy, strcpy) used in gcc may induce security vulnerablities like buffer overflow. Currently we have not found any instances which causes such issues.
Are you using GCC as a compiler or the sources of GCC to do something
else? If you are using it as a compiler, GCC does NOT provide the
libc functions, another project (e.g. glibc) provides those.
> But we feel better to change these calls to Cll Annex K Bounds-checking interfaces like memcpy_s, strcpy_s etc. By defining a secure calls method (list of func pointers) and allowing application to register the method. I understand that this affects performance because of return value check added for xxxx_s calls, but this will relieve overflow kind of issues from code. And also currently using bounds-checking interfaces is a general industry practice.
> Please share your opinion on it, and if any discussion happened in community to do some changes in future.
Really the _s functions are not so good and right now are optional
part of the C standard and not even implemented by glibc. Plus they
not so useful and there are other methods of producing similar code
More information about the Gcc