oss-sec mailing list archives

Off-by-one question

From: Joshua Roers <honey () internot info>
Date: Sat, 22 Nov 2014 17:28:00 +1100

Hi guys,

I'm just wondering, is it possible to use strncpy to overwrite memory
addresses?

i.e:

char buf[4];
strncpy(buf, "Four", sizeof(buf));
buf[sizeof(buf)-1] = '\0';
printf("%s\n", buf);


Since

strncpy(buf, "Four", sizeof(buf));

is not

strncpy(buf, "Four", sizeof(buf)-1);

will strncpy write beyond the memory of 'buf', and set it to NUL?

From my understanding from

http://cwe.mitre.org/data/definitions/193.html, it would.
".. creating a buffer overflow that may cause a memory address to be
overwritten .."


But actually RTFM, strncpy will not write, even the NUL, past the size.

So it looks like I'm either reading mitre wrong, or it may be outdated.


Any opinions on this?


Thanks,
-- 
-- Joshua Rogers <https://internot.info/>

Current thread:

Off-by-one question Joshua Roers (Nov 21)
- Re: Off-by-one question Simon McVittie (Nov 22)
- Re: Off-by-one question Stuart Gathman (Nov 22)
  - Re: Off-by-one question Joshua Rogers (Nov 22)