On Fri, Nov 7, 2014, at 02:03, k...@shike2.com wrote: > I disagree, check the size before of calling strcpy. If you want to > avoid security risk you also have to check the output of strlcpy > to detect truncations, so you don't win anything. In both cases > you have to add a comparision, so it is better to use strcpy that > is standard.
There are numerous scenarios where an overflow has security implications but a truncation does not. For example, if an attacker can supply any string, they could supply the shorter one to begin with, and therefore don't benefit from truncation.
