Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Re: What's wrong with this code?

From: "Jared W. Robinson" <jwr () xmission com>
Date: Sat, 13 Dec 2003 04:10:22 +0000
Maybe he's fishing for a better way to solve the problem. Instead of
having the programmer use strncpy safely hundreds of distinct times, use
a set of functions that prevent the programmer from having to repeat the
work.

Here are some alternatives:
1. Use SafeStr http://www.zork.org/safestr/ for UNIX and Windows
2. Use Microsoft's strsafe: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/strsafe.asp
3. Use C++ strings or C++ stringstreams.

- Jared

On Fri, Dec 12, 2003 at 10:10:27AM -0500, Liudvikas Bukys wrote:

Okay, now to this little gem. What's wrong with this code? It's a code sample I saw recently on outlining a safe way 
to write buffer overrun-free code.

void noOverflow(char *str)
{
char buffer[10];
strncpy(buffer,str,(sizeof(buffer)-1));
buffer[(sizeof(buffer)-1)]=0;
/* Avoiding buffer flow with the above two lines */
}





-- 
"It's a well known technology truism that [not] all of the smart people
work for you, and that one of the surest ways to success is to get more
ideas and more work out of people outside your own fences."
- Tim O'Reilly
Previous By Date Next
Previous By Thread Next

Current thread: