Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: Are bad developer libraries the problem with M$ software?
From: Casper Dik (Casper.DikSun.COM)
Date: Sat Mar 22 2003 - 03:56:54 CST
>On Mon, 2002-11-18 at 17:10, Andrew Griffiths wrote:
>> Another thing to use is consistency, for example,
>> char dst;
>> strncpy(dst, user_supplied_data, sizeof(dst));
>> strncat(dst, sizeof(dst) - strlen(dst) -1, moreuserdata);
>> This could be exploitable if user_supplied_data is 50 or more bytes long.
>> In specific,
>> 50 - 50 - 1 == -1
>If sizeof(dst) is 50, then a 0 terminated string is is 49 chars long
>(len(dst) is 49). That means we've got 50-49-1 = 0 which is correct as
>there is no room left in dst.
"strncpy" doesn't NUL terminate, so the strlen() in the above code can
return any value, including values *over* 50. Since the "n"
argument to strncat (which, incidentally, is the 3rd, not 2nd argument),
is unsigned, that would mean unlimited copying.
>Of course in your example you allow dst to overflow in the strncpy.
> strncpy(dst, user_supplied_data, sizeof(dst)-1);
>would have prevented that if my math is correct.
As long as you NUL terminated the string.