[wybiral]

It doesn't say that those particular uses are dangerous. But it says that their overall standards don't prohibit the use of potentially dangerous methods.

In a non-critical application that kind of stuff is usually fine. But for critical infrastructure there are normally rules against using potentially unsafe methods like those entirely.

Huawei would need to be more transparent to show that their practices are secure and that these uses are wrapped in some kind of protective framework. But until that happens it's reasonable to be skeptical from a security (and stability) perspective.

[letstrynvm]

Yeah... but it's security theatre.

They will just use memcpy_s with the dest len and the len set to the same var. Or strncpy with the limit set to strlen(src) etc. These guys will tell you it's suddenly using 'modern security practices'.

Conversely depending on the code strcpy / memcpy can be 100% safe.

I think these guys are selling static analysis, so they find themselves using these oversimplified metrics... it's a shame because it looks like there was no lack of real issues.

[wybiral]

If I ever saw a project where someone wrote a fake wrapper around an insecure function that gave the illusion that it had proper checks in place (which is what's being described here) instead of using the actual function I would be concerned.

And if I ever saw code where the size parameters weren't legit (as in someone used the same variable for both) I would also be concerned unless proper checks where taking place elsewhere. But it is a bad smell.

That's the only point in that particular finding. They did detail other ways in which the whole development standards seem bad.

And, yes, you can always shoot your own foot, but it's still best not to aim directly at it.