Secure coding in C (was Re: Administrivia #4883)

[bet () RAHUL NET (Bennett Todd)]

2000-01-14-13:20:27 nascheme:
> ICQ is a disaster waiting to happen.  There is strcat and strcpy
> all over the place last time I looked at it.  I didn't have time
> to develop and exploit though.

NB: I don't mean here to imply that ICQ is secure:-).

I don't think strcat and strcpy necessarily imply exploits, of
themselves; by one of these creepy coincidences I'm doing some
security-critical programming right now[*], and for the modest
amount of string processing needed I started off using them,
suitably protected by preceeding checks with strlen(). I ended up
changing to using snprintf into a buffer sized by computing the
needed length using strlen, but that was just because it ended up
being much simpler as the string manipulations got more complex.

For a specific case, is there any security hole directly implied by
this C fragment, assuming attackers could control the contents of a
and b?

        char *a = something();
        char *b = something_else();
        int len = strlen(a) + strlen(b);
        char *c = malloc(len + 1) || die("malloc");
        (void) strcat(strcpy(c, a), b);

BTW, what I ended up coding instead of that last line (as it grew
way more complex) was equivalent to:

        snprintf(c, len, "%s%s", a, b) > 0 || die "snprintf";

-Bennett

[*] I'm re-starting a project I tried previously, which died the
last time for lack of round tuits, a new email local delivery agent,
to compete with procmail, maildrop, mailagent, etc. If it gets
anywhere near fruition I'll send an announcement here of where to
find the code, as soon as it stabilizes enough to deserve a security
audit.

<HR NOSHADE>
<UL>
<LI>application/pgp-signature attachment: stored
</UL>