Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New Microsoft Security Tool for developers

From: Jeremy Thibeaux <jthibeaux () yahoo com>
Date: Fri, 12 Dec 2003 19:36:46 +0000
Perhaps it would be better to check for str == null.

Jeremy Thibeaux
Lucid Factory, inc.

--- Liudvikas Bukys <[EMAIL PROTECTED]> wrote:


The Michael Howard MSDN article on the Windows
Application Verifier
closes with the following "little gem".  I'm afraid
that the answer
does not leap out at me.  Does anyone see through
it?



http://msdn.microsoft.com/library/en-us/dncode/html/secure12112003.asp


-----

Okay, now to this little gem. What's wrong with this
code? It's a code sample I saw recently on outlining
a safe way to write buffer overrun-free code.

void noOverflow(char *str)
{
char buffer[10];
strncpy(buffer,str,(sizeof(buffer)-1));
buffer[(sizeof(buffer)-1)]=0;
/* Avoiding buffer flow with the above two lines */
}
Previous By Date Next
Previous By Thread Next

Current thread: