[letstrynvm]

Yeah... but it's security theatre.

They will just use memcpy_s with the dest len and the len set to the same var. Or strncpy with the limit set to strlen(src) etc. These guys will tell you it's suddenly using 'modern security practices'.

Conversely depending on the code strcpy / memcpy can be 100% safe.

I think these guys are selling static analysis, so they find themselves using these oversimplified metrics... it's a shame because it looks like there was no lack of real issues.

[wybiral]

If I ever saw a project where someone wrote a fake wrapper around an insecure function that gave the illusion that it had proper checks in place (which is what's being described here) instead of using the actual function I would be concerned.

And if I ever saw code where the size parameters weren't legit (as in someone used the same variable for both) I would also be concerned unless proper checks where taking place elsewhere. But it is a bad smell.

That's the only point in that particular finding. They did detail other ways in which the whole development standards seem bad.

And, yes, you can always shoot your own foot, but it's still best not to aim directly at it.