Re: New Microsoft Security Tool for developers

[Avner Peled <avnerp () bezeqint net>]

I think he meant that strncpy is not the right function to use when
dealing with raw buffers and it's better to use memcpy or the function
mentioned in this paper:
http://www.courtesan.com/todd/papers/strlcpy.html

On Fri, 2003-12-12 at 17:10, Liudvikas Bukys wrote:

> The Michael Howard MSDN article on the Windows Application Verifier
> closes with the following "little gem".  I'm afraid that the answer
> does not leap out at me.  Does anyone see through it?
>
> http://msdn.microsoft.com/library/en-us/dncode/html/secure12112003.asp
>
> -----
>
> Okay, now to this little gem. What's wrong with this code? It's a code sample I saw recently on outlining a safe way 
> to write buffer overrun-free code.
>
> void noOverflow(char *str)
> {
> char buffer[10];
> strncpy(buffer,str,(sizeof(buffer)-1));
> buffer[(sizeof(buffer)-1)]=0;
> /* Avoiding buffer flow with the above two lines */
> }