Secure Coding mailing list archives
Re: What's wrong with this code?
From: "Jared W. Robinson" <jwr () xmission com>
Date: Sat, 13 Dec 2003 04:10:22 +0000
Maybe he's fishing for a better way to solve the problem. Instead of having the programmer use strncpy safely hundreds of distinct times, use a set of functions that prevent the programmer from having to repeat the work. Here are some alternatives: 1. Use SafeStr http://www.zork.org/safestr/ for UNIX and Windows 2. Use Microsoft's strsafe: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/strsafe.asp 3. Use C++ strings or C++ stringstreams. - Jared On Fri, Dec 12, 2003 at 10:10:27AM -0500, Liudvikas Bukys wrote:
Okay, now to this little gem. What's wrong with this code? It's a code sample I saw recently on outlining a safe way to write buffer overrun-free code. void noOverflow(char *str) { char buffer[10]; strncpy(buffer,str,(sizeof(buffer)-1)); buffer[(sizeof(buffer)-1)]=0; /* Avoiding buffer flow with the above two lines */ }
-- "It's a well known technology truism that [not] all of the smart people work for you, and that one of the surest ways to success is to get more ideas and more work out of people outside your own fences." - Tim O'Reilly
Current thread:
- Re: New Microsoft Security Tool for developers, (continued)
- Message not available
- Re: New Microsoft Security Tool for developers Andreas Saurwein (Dec 09)
- Message not available
- Re: New Microsoft Security Tool for developers Dana Epp (Dec 09)
- Re: New Microsoft Security Tool for developers Liudvikas Bukys (Dec 12)
- Re: New Microsoft Security Tool for developers Avner Peled (Dec 12)
- Re: New Microsoft Security Tool for developers Jeremy Thibeaux (Dec 12)
- Re: New Microsoft Security Tool for developers Steve Litt (Dec 12)
- Re: New Microsoft Security Tool for developers Dana Epp (Dec 12)
- Re: New Microsoft Security Tool for developers Steve Litt (Dec 12)
- Re: New Microsoft Security Tool for developers Jack D. Unrue (Dec 12)
- Re: New Microsoft Security Tool for developers Dana Epp (Dec 13)
- Re: New Microsoft Security Tool for developers Liudvikas Bukys (Dec 12)
- Re: What's wrong with this code? Jared W. Robinson (Dec 12)
- RE: New Microsoft Security Tool for developers David Crocker (Dec 12)
- Re: New Microsoft Security Tool for developers der Mouse (Dec 13)
- Re: New Microsoft Security Tool for developers der Mouse (Dec 13)
- Re: New Microsoft Security Tool for developers der Mouse (Dec 13)
- Re: New Microsoft Security Tool for developers Mark Graff (Dec 13)