Re: Secure coding in C (was Re: Administrivia #4883)

[marcow () JENA ENG SUN COM (Marco Walther)]

> > > > > "BT" == Tellier, Brock <btellier () USA NET> writes:

BT> In message <<A HREF="mailto:Pine.LNX.4.03.10001161207550.7428-100000 () brian citynet 
net">Pine.LNX.4.03.10001161207550.7428-100000 () brian citynet net</A>> Brian Masney writes:
BT>: On some UNIX systems, snprintf does not guarentee that it will nul
BT>: terminate the string. I know on some older versions of libc5 (sorry,
BT>: don't have an exact version), if the buffer you was writing to got to the
BT>: max size you passed it, it would stop there without adding the nul. So,
BT>: you'll run into problems later on if you pass it to a string
BT>: function (like strcpy())

> > snprintf is *DEFINED* to NUL terminate the string.  Systems >that don't
> > do this are broken.  That's why it is used as widely as it >is.

> > From the Solaris 7 snprintf man page:

BT> The snprintf() function is identical to sprintf()
BT> with the addition  of the argument n, which specifies
BT> the size of the buffer referred to by s. The buffer is terminated  with  the null byte only if space is available.
BT> --------------------------------^^^^^^^^^^^^^^^^^^^^^^^^^^

BT> Meaning that one shouldn't copy more than bufsize - 1 bytes or risk a bof later on.

And the same paragraph from the Solaris 8 snprintf man page:

"     The snprintf() function is identical to sprintf()  with  the
     addition  of the argument n, which specifies the size of the
     buffer referred to by s. The  buffer  is  always  terminated
     with the null byte."

I've tried a small test case on Solaris 7 and it looks like the man is
not correct there?!

#include <stdio.h>

main()
{
  char b[10];

  snprintf(b, 10, "I'm a really long test string!\n");

  printf("b[9]= %d\n", (int)b[9]);
}

returns `b[9]= 0'

-- Marco

--