Re: [PATCH v2] kconfig/lxdialog: replace strcpy() with strlcpy() in inputbox.c
From: Suchit K
Date: Sun Jul 27 2025 - 12:24:39 EST
On Sun, 27 Jul 2025 at 21:49, Nicolas Schier <nicolas.schier@xxxxxxxxx> wrote:
>
> On Sat, Jul 26, 2025 at 11:25:24PM +0530, Suchit Karunakaran wrote:
> > strcpy() performs no bounds checking and can lead to buffer overflows if
> > the input string exceeds the destination buffer size. This patch replaces
> > it with strlcpy(), which ensures the input is always NULL-terminated,
> > prevents overflows, following kernel coding guidelines.
> >
> > Signed-off-by: Suchit Karunakaran <suchitkarunakaran@xxxxxxxxx>
> >
> > Changes since v1:
> > - Replace strscpy with strlcpy
> >
> > ---
> > scripts/kconfig/lxdialog/inputbox.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/scripts/kconfig/lxdialog/inputbox.c b/scripts/kconfig/lxdialog/inputbox.c
> > index 3c6e24b20f5b..ca778e270346 100644
> > --- a/scripts/kconfig/lxdialog/inputbox.c
> > +++ b/scripts/kconfig/lxdialog/inputbox.c
> > @@ -40,7 +40,7 @@ int dialog_inputbox(const char *title, const char *prompt, int height, int width
> > if (!init)
> > instr[0] = '\0';
> > else
> > - strcpy(instr, init);
> > + strlcpy(instr, init, MAX_LEN + 1);
>
> oh, I am sorry for the bad recommendation. On my Debian bookworm arm64
> machine (w/o libbsd0), this does not compile as strlcpy() is not
> available (same as reported by kernel test robot [1]). As libbsd0 it
> not a documented dependency, strlcpy() should then probably not be used
> either (and Documentation/process/deprecated.rst also argues against
> it).
>
> So, keeping close to Masahiros mail [2] a few weeks ago, what about
> this?
>
> else {
> strncpy(instr, init, sizeof(dialog_input_result)-1);
> instr[sizeof(dialog_input_result)-1) = '\0';
> }
>
Yeah even I faced the same error. I initially tested it on Arch Linux
and it worked somehow. However, it didn't work on Debian. I'll send v3
with the changes as you suggested. Thanks for reviewing.