Secure Coding mailing list archives
Re: New Microsoft Security Tool for developers
From: "Mark Graff" <mark () markgraff com>
Date: Sun, 14 Dec 2003 03:08:50 +0000
Sorry if someone else has already made this point. But one flaw I see is that (as it was presented here) the code is not matched by a specification. It was Gene who first pointed out to me years ago that there can be no absolute measure of "security", since so many diverse requirements sets exist. (He said it better.) I love Gene's point in this thread, and would add that unless we possess or posit some understanding of what the routine is intended to do, the context it must operate in, and "how much" security is desired, we can't determine whether it is "secure enough". -mg- ----- Original Message ----- From: "Gene Spafford" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, December 13, 2003 6:57 AM Subject: RE: [SC-L] New Microsoft Security Tool for developers
Many good comments have been made. But consider: main() { char fbuf[2]; noOverflow(fbuf); } void noOverflow(char *str) { char buffer[10]; strncpy(buffer,str,(sizeof(buffer)-1)); buffer[(sizeof(buffer)-1)]=0; /* Avoiding buffer overflow with the above two lines */ } Several of you pointed out that the subroutine should check that the passed-in pointer is non-null. But remember that it is only a pointer -- there is no way to ensure that the buffer pointed to has at least 10 entries if it is non-null! This is one of the biggest problems with C, as has been noted already -- strings (and arrays in general) do not have their lengths as intrinsic values associated with them. Thus, the fix I would suggest is that the subroutine have an extra argument added -- the length of the buffer: void noOverflow(char *str, unsigned int bufsize) { if (str == NULL || bufsize == 0) return; strncpy(buffer,str, bufsize-1)); buffer[bufsize-1]=0; } Then depend on the compiler to catch argument mismatches. There are other stylistic tweaks that could help (use of "const" for instance, or filling the whole buffer) but this is the problem that will silently bite you on the butt if you don't program defensively. --spaf
Current thread:
- Re: New Microsoft Security Tool for developers, (continued)
- Re: New Microsoft Security Tool for developers Dana Epp (Dec 13)
- Re: What's wrong with this code? Jared W. Robinson (Dec 12)
- RE: New Microsoft Security Tool for developers David Crocker (Dec 12)
- Re: New Microsoft Security Tool for developers der Mouse (Dec 13)
- Re: New Microsoft Security Tool for developers der Mouse (Dec 13)
- RE: New Microsoft Security Tool for developers Tegels, Kent (Dec 09)
- RE: New Microsoft Security Tool for developers Lewis, Todd (Dec 12)
- RE: New Microsoft Security Tool for developers Chris Richards (Dec 12)
- Re: New Microsoft Security Tool for developers der Mouse (Dec 13)
- RE: New Microsoft Security Tool for developers Gene Spafford (Dec 13)
- Re: New Microsoft Security Tool for developers Mark Graff (Dec 13)
- RE: New Microsoft Security Tool for developers Jannie Hanekom (Dec 14)
- Re: New Microsoft Security Tool for developers der Mouse (Dec 15)
- Re: New Microsoft Security Tool for developers Dana Epp (Dec 15)
- Re: New Microsoft Security Tool for developers Crispin Cowan (Dec 15)
- Re: New Microsoft Security Tool for developers Dana Epp (Dec 15)
- RE: New Microsoft Security Tool for developers Örjan Petersson (Dec 16)
- strncpy (was: Re: New Microsoft Security Tool for developers) David A. Wheeler (Dec 16)
- Re: strncpy (was: Re: New Microsoft Security Tool for developers) Florian Weimer (Dec 17)
- Re: New Microsoft Security Tool for developers Dave Aronson (Dec 15)