|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Secure coding in C (was Re: Administrivia #4883)
Subject: Re: Secure coding in C (was Re: Administrivia #4883)
From: Marc Slemko (marcs
ZNEP.COM)
Date: Fri Jan 21 2000 - 02:12:16 CST
- Next message: Seth R Arnold: "Re: Secure coding in C (was Re: Administrivia #4883)"
- Previous message: Marco Walther: "Re: Secure coding in C (was Re: Administrivia #4883)"
- In reply to: Tellier, Brock: "Re: Secure coding in C (was Re: Administrivia #4883)"
- Next in thread: Warner Losh: "Re: Secure coding in C (was Re: Administrivia #4883)"
- Next in thread: Blue Boar: "Re: Secure coding in C (was Re: Administrivia #4883)"
- Reply: Marc Slemko: "Re: Secure coding in C (was Re: Administrivia #4883)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, 20 Jan 2000, Tellier, Brock wrote:
> In message <<A HREF="mailto:Pine.LNX.4.03.10001161207550.7428-100000brian.citynet.net">Pine.LNX.4.03.10001161207550.7428-100000brian.citynet.net</A>> Brian Masney writes:
> : On some UNIX systems, snprintf does not guarentee that it will nul
> : terminate the string. I know on some older versions of libc5 (sorry,
> : don't have an exact version), if the buffer you was writing to got to the
> : max size you passed it, it would stop there without adding the nul. So,
> : you'll run into problems later on if you pass it to a string
> : function (like strcpy())
>
> >snprintf is *DEFINED* to NUL terminate the string. Systems >that don't
> >do this are broken. That's why it is used as widely as it >is.
>
> >From the Solaris 7 snprintf man page:
>
> The snprintf() function is identical to sprintf()
> with the addition of the argument n, which specifies
> the size of the buffer referred to by s. The buffer is terminated with the null byte only if space is available.
> --------------------------------^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> Meaning that one shouldn't copy more than bufsize - 1 bytes or risk a bof later on.
Well then it is broken.
Well, the man page is at least.
The code seems to do the right thing, at least on 2.6:
hostname:/tmp$ cat foo.c
#include <stdio.h>
int main() {
char buff[11];
strcpy(buff, "0123456789");
snprintf(buff, 3, "abcdefg");
printf("%s\n", buff);
return(0);
}
hostname:/tmp$ gcc -Wall foo.c -o foo
hostname:/tmp$ ./foo
ab
hostname:/tmp$
But for portable code you need to include your own snprintf anyway if you
want to use it, so you may as well use it everywhere. We did in Apache
and never looked back. Even more usefully, in Apache it is expanded to
allow a psprintf that returns a string dynamically allocated using
Apache's pool mechanism, so in places where dynamic allocation is
appropriate, it isn't even a consideration.
(the "where it is appropriate" bit is, however, important, sine simply
switching everything to dynamically allocate memory has obvious DoS
potential in some situations)
- Next message: Seth R Arnold: "Re: Secure coding in C (was Re: Administrivia #4883)"
- Previous message: Marco Walther: "Re: Secure coding in C (was Re: Administrivia #4883)"
- In reply to: Tellier, Brock: "Re: Secure coding in C (was Re: Administrivia #4883)"
- Next in thread: Warner Losh: "Re: Secure coding in C (was Re: Administrivia #4883)"
- Next in thread: Blue Boar: "Re: Secure coding in C (was Re: Administrivia #4883)"
- Reply: Marc Slemko: "Re: Secure coding in C (was Re: Administrivia #4883)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Fri Jan 21 2000 - 02:30:51 CST