Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New Microsoft Security Tool for developers

From: Crispin Cowan <crispin () immunix com>
Date: Tue, 16 Dec 2003 01:04:01 +0000

Dana Epp wrote:


It will copy UP TO len bytes from src to the dest. If the length of src is
only 4 bytes, it will only copy 4 bytes to dest, and nullify the rest of the
buffer of dest. As such, there is no information disclosure issues with this
call as you describe the threat.

I cannot find supporting documentation for the claim "and nullify the 
rest of the buffer of dest". IIRC, strncpy will copy a null byte from 
src to dst, but it does not nullify the rest of dst.


Furthermore, the null byte is copied from src to dst IFF there is room 
for it. This is one of subtle "gotchas" of strncpy: if the string in src 
is exactly the length of the n parameter, then strncpy is perfectly 
happy to copy the text and *not* null-terminate it. This *can* leave you 
with an information leakage situation, in that subsequent attempts to 
puts or printf that string will dump the bytes past the end of dst until 
they hit a null.


This semantics is screwed up. It is also defined standard. Thus leading 
to long flame wars about whether 'tis nobler in the mind to suffer the 
slings and arrows of crappy APIs, or to take up better APIs against a 
sea of standards documents, and by opposing, end them [Hamlet, sort of :]


Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com
Immunix 7.3           http://www.immunix.com/shop/
Previous By Date Next
Previous By Thread Next

Current thread: