OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Vuln-Dev Archives: Re: Secure coding in C (was Re: Administrivi

Re: Secure coding in C (was Re: Administrivia #4883)

Subject: Re: Secure coding in C (was Re: Administrivia #4883)
From: Liviu Daia (Liviu.DaiaIMAR.RO)
Date: Fri Jan 14 2000 - 16:56:13 CST

On 14 January 2000, Marco Walther <marcowJENA.ENG.SUN.COM> wrote:
> >>>>> "BT" == Bennett Todd <betRAHUL.NET> writes:
> BT> For a specific case, is there any security hole directly implied
> BT> by this C fragment, assuming attackers could control the contents
> BT> of a and b?
>
> BT> char *a = something();
> BT> char *b = something_else();
> BT> int len = strlen(a) + strlen(b);
> BT> char *c = malloc(len + 1) || die("malloc");
> BT> (void) strcat(strcpy(c, a), b);
>
> I don't see any problems here;-)
[...]

    Oh, come on. What if a and b are not null-terminated?

    This is not only bad style, it's also a PITA to write (not to
mention audit), because the length calculations involved are way too
easy to get wrong.

    Regards,

    Liviu Daia 

--
Dr. Liviu Daia               e-mail:   Liviu.Daiaimar.ro
Institute of Mathematics     web page: http://www.imar.ro/~daia
of the Romanian Academy      PGP key:  http://www.imar.ro/~daia/daia.asc

This archive was generated by hypermail 2b27 : Sun Jan 16 2000 - 00:18:20 CST