So what is the issue? Howard claims that GnuTLS makes liberal use of strcpy(), strcat() and strlen(). Those functions are known to be responsible for several attacks via buffer overflows in current programs. In GnuTLS however we had few vulnerabilities (discussed in our security advisories page) but none of them was a buffer overflow. Why is that? Because we don't use strcpy() and strcat() liberally. We don't use them with data originated from the network or the user or without checking boundaries. GnuTLS includes a custom string library, the gnutls_buffer_st interface in gnutls_str, which is used in most of the cases.
So why was Howard concerned about our liberal use of strcpy() and strcat()? We do use those functions, but for static string copying and for strings originating within the library. E.g. our ASN.1 library requires to identify objects a string of the form "PKIX1.CRLDistributionPoints.?1.distributionPoint.fullName" or "PKIX1.CRLDistributionPoints.?5.distributionPoint.fullName". Thus in several occasions we do something like
Our version of strcpy() and strcat() provide a safer wrapper function over the libc function, that will never overflow the destination string. Other cases include strings that are locally generated and controlled. Thus seeing strcpy() or strcat() in a program does not mean that it is vulnerable to buffer overflow attacks. Two things are also required, user or network input to be involved and bound checking not to be done. As far as we know neither is or was true for GnuTLS.
char str; gnutls_str_cpy(str, sizeof(str), "PKIX1.CRLDistributionPoints."); gnutls_str_cat(str, sizeof(str), "?1.distributionPoint.fullName");
Of course noone is claiming that GnuTLS is perfect and bug-free. No software is bug-free and don't believe anyone claiming it. My claim is that the specific critique is invalid.