Re: Secure coding in C (was Re: Administrivia #4883)

[marcow () JENA ENG SUN COM (Marco Walther)]

> > > > > "BT" == Bennett Todd <bet () RAHUL NET> writes:
BT> For a specific case, is there any security hole directly implied by
BT> this C fragment, assuming attackers could control the contents of a
BT> and b?

BT>     char *a = something();
BT>     char *b = something_else();
BT>     int len = strlen(a) + strlen(b);
BT>     char *c = malloc(len + 1) || die("malloc");
BT>     (void) strcat(strcpy(c, a), b);

I don't see any problems here;-)

BT> BTW, what I ended up coding instead of that last line (as it grew
BT> way more complex) was equivalent to:

BT>     snprintf(c, len, "%s%s", a, b) > 0 || die "snprintf";

You're dead! Use (*a == '\0' && *b == '\0') and snprintf() returns `0'!!

Good lock;-)
-- Marco

BT> -Bennett

--