memcpy-like and 22% of
strcpy-like function calls in the codebase were to the least safe variants. And assuming safety just from the function name is simplistic even the
safe variants could still be dangerous.
In Huawei’s defense, while they have been subjected to an unusual level of public scrutiny they are definitely not an outlier in having trouble getting developers to adopt secure coding guidelines. In the
memcpy case, it’s been banned at Microsoftsince 2009, but I haven’t personally seen any other companies outside the FAANG (Facebook/Apple/Amazon/Netflix/Google) that have done the same. You can actually tell who has banned the bad POSIX functions empirically, by looking at binaries a non-profit named CITL did a great overview of this and more in the IoT space. As you’d probably guess, the results are dismal.