OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Vuln-Dev Archives: Re: Secure coding in C (was Re: Administrivi

Re: Secure coding in C (was Re: Administrivia #4883)

Subject: Re: Secure coding in C (was Re: Administrivia #4883)
From: Marco Walther (marcowJENA.ENG.SUN.COM)
Date: Fri Jan 14 2000 - 15:48:50 CST

>>>>> "BT" == Bennett Todd <betRAHUL.NET> writes:
BT> For a specific case, is there any security hole directly implied by
BT> this C fragment, assuming attackers could control the contents of a
BT> and b?

BT> char *a = something();
BT> char *b = something_else();
BT> int len = strlen(a) + strlen(b);
BT> char *c = malloc(len + 1) || die("malloc");
BT> (void) strcat(strcpy(c, a), b);

I don't see any problems here;-)

BT> BTW, what I ended up coding instead of that last line (as it grew
BT> way more complex) was equivalent to:

BT> snprintf(c, len, "%s%s", a, b) > 0 || die "snprintf";

You're dead! Use (*a == '\0' && *b == '\0') and snprintf() returns `0'!!

Good lock;-)
-- Marco

BT> -Bennett 

--

This archive was generated by hypermail 2b27 : Fri Jan 14 2000 - 16:30:46 CST