On Fri, Mar 14, 2014, Derek Martin wrote: > Unfortunately, sometimes when old code is updated, the maintainer > forgets to re-check that everything is copacetic. This can still > happen with the "safe" versions of all these functions too.
Sure, but those functions significantly reduce the risk. We had that problem in some very widely used code and it was basically impossible to "prove" that there were no buffer overflows due to the ways functions were called, global variables updated, etc... So we switched to strlc*() and we _never_ again had to release a security fix for buffer overflows -- that was more than 10 years ago.
