RE: Any reason not to use strcpy, strcat or scanf?

["Rocky Heckman" <rocky.he () g-wizinnovations com>]

Hello,
In all fairness, you can use them all you want. However, you need to be very
careful about your bounds checking and making sure any user input is
validated for correctness, length, and hostile character patterns. 

So it's not that they should never be used, but that you should use the
safer alternatives, or use these very carefully.

I imagine Mr. Keller is the 'err on the side of caution' type which isn't a
bad thing in this industry. 

RH

-----Original Message-----
From: Keller, Tim [mailto:Tim.Keller () stratus com] 
Sent: Thursday, 15 July 2004 5:23 AM
To: Secbasics
Subject: RE: Any reason not to use strcpy, strcat or scanf?

A.V.,

Yeah.  The reason you shouldn't use these because they don't do any bounds
checking.  Thus you could have a situation where you've defined an 80
character array and then write a 180 characters into it, going off the end
of the variable and stomping on whatever is past it...

What you should use is strncpy and strncat.  These force you to specify that
you only copy or concatonate "n" bytes from the source into the destination.

Check out this site, it's got some very good info on what your interested
in.

http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/dangers-c.html


-----Original Message-----
From: A.V. [mailto:pahalial.lists () gmail com]
Sent: Wednesday, July 14, 2004 7:00 AM
To: Secbasics
Subject: Any reason not to use strcpy, strcat or scanf?


Hi,

I was simply wondering after seeing the "blackhat audit" program sent
to F-D whether there was actually any reason not to use these
functions (strcpy/strcat/scanf) in your code. I mean, I understand why
you shouldn't use scanf to i.e. process user input, but other than
that? Some kind of unexpected behaviour or something?

Thanks,
A.V.

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------