Secure Coding mailing list archives
Re: New Microsoft Security Tool for developers
From: Mikey <mike_chan_ () hotmail com>
Date: Thu, 18 Dec 2003 00:45:52 +0000
Kernighan and Ritchie has this; char *strncpy(s,ct,n) Copy at most n characters of string ct to s; return s. Pad with '\0's if ct has fewer than n characters. At 04:28 PM 12/15/2003 -0800, Erik Anderson wrote:
Crispin Cowan 12/15/03 9:14:46 AM >>>
DE> It will copy UP TO len bytes from src to the dest. DE> If the length of src is only 4 bytes, it will only DE> copy 4 bytes to dest, and nullify the rest of the DE> buffer of dest. As such, there is no information DE> disclosure issues with this call as you describe DE> the threat. CC> I cannot find supporting documentation for the CC> claim "and nullify the rest of the buffer of dest". CC> IIRC, strncpy will copy a null byte from src to dst, CC> but it does not nullify the rest of dst. As I don't have a copy of the standard with me, the closest I can come is from the Jan 18, 99 draft: 7.21.2.4 The strncpy function Synopsis #include <string.h> char *strncpy(char * restrict s1, const char * restrict s2, size_t n); Description The strncpy function copies not more than n characters (characters that follow a null character are not copied) from the array pointed to by s2 to the array pointed to by s1. If copying takes place between objects that overlap, the behavior is undefined. If the array pointed to by s2 is a string that is shorter than n characters, null characters are appended to the copy in the array pointed to by s1, until n characters in all have been written. Returns The strncpy function returns the value of s1.
Current thread:
- Re: New Microsoft Security Tool for developers, (continued)
- Re: New Microsoft Security Tool for developers Dana Epp (Dec 15)
- Re: New Microsoft Security Tool for developers Crispin Cowan (Dec 15)
- Re: New Microsoft Security Tool for developers Dana Epp (Dec 15)
- RE: New Microsoft Security Tool for developers Örjan Petersson (Dec 16)
- strncpy (was: Re: New Microsoft Security Tool for developers) David A. Wheeler (Dec 16)
- Re: strncpy (was: Re: New Microsoft Security Tool for developers) Florian Weimer (Dec 17)
- Re: New Microsoft Security Tool for developers Dana Epp (Dec 15)
- Re: New Microsoft Security Tool for developers Dave Aronson (Dec 15)
- Re: New Microsoft Security Tool for developers Gene Spafford (Dec 17)
- Re: New Microsoft Security Tool for developers Mikey (Dec 17)