oss-sec mailing list archives
Off-by-one question
From: Joshua Roers <honey () internot info>
Date: Sat, 22 Nov 2014 17:28:00 +1100
Hi guys, I'm just wondering, is it possible to use strncpy to overwrite memory addresses? i.e:
char buf[4]; strncpy(buf, "Four", sizeof(buf)); buf[sizeof(buf)-1] = '\0'; printf("%s\n", buf);
Since
strncpy(buf, "Four", sizeof(buf));
is not
strncpy(buf, "Four", sizeof(buf)-1);
will strncpy write beyond the memory of 'buf', and set it to NUL?
From my understanding from
http://cwe.mitre.org/data/definitions/193.html, it would. ".. creating a buffer overflow that may cause a memory address to be overwritten .." But actually RTFM, strncpy will not write, even the NUL, past the size. So it looks like I'm either reading mitre wrong, or it may be outdated. Any opinions on this? Thanks, -- -- Joshua Rogers <https://internot.info/>
Current thread:
- Off-by-one question Joshua Roers (Nov 21)
- Re: Off-by-one question Simon McVittie (Nov 22)
- Re: Off-by-one question Stuart Gathman (Nov 22)
- Re: Off-by-one question Joshua Rogers (Nov 22)