Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 29 Nov 2004 14:17:07 -0800
From:      Brooks Davis <brooks@one-eyed-alien.net>
To:        Charles Swiger <cswiger@mac.com>
Cc:        ipfw@freebsd.org
Subject:   Re: strncmp usage in ipfw
Message-ID:  <20041129221707.GA2571@odin.ac.hmc.edu>
In-Reply-To: <E9480AE5-4244-11D9-9087-003065ABFD92@mac.com>
References:  <20041129192514.GA7331@odin.ac.hmc.edu> <E9480AE5-4244-11D9-9087-003065ABFD92@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

--UlVJffcvxoiEqYs2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Nov 29, 2004 at 03:26:12PM -0500, Charles Swiger wrote:
> On Nov 29, 2004, at 2:25 PM, Brooks Davis wrote:
> >char *var;
> >if (!strncmp(var, "str", strlen(var)))
> >	...
> >[ ... ]
> >Was use of this idiom deliberate or accidental?
>=20
> I can't speak for the author, but using the "n"-for-length variant of=20
> the string and printf() family of functions is considered an important=20
> saftey practice, especially for network/firewall/IDS software which may=
=20
> be exposed to externally generated data which contains deliberately=20
> malicious string lengths.

That's true for string creation functions, but not for strncmp

The only valid use of strncmp is to do comparisons between strings where
one string is known to not be NUL-terminated or to look for a
sub-string.  It is not a safety function.

> This brings me back to your point with regard to partial matches; it=20
> might be the case that the IPFW code could use char arrays and=20
> sizeof(var) rather than char *'s and strlen(var) for some cases?  The=20
> former approach would not only address your concerns, Brooks, but also=20
> be faster.  Otherwise, I suspect that:
>=20
> 	char *var;
> 	if (!strncmp(var, "str", strlen(var)))
> 		...
>=20
> ...should become:
>=20
> 	#define STR "str"
> 	char *var;
> 	if (!strncmp(var, STR, sizeof(STR)))
> 		...

This is exactly equivalent in functionality to:

 	char *var;
 	if (!strcmp(var, "str"))
 		...

We know that "str" is NUL-terminated because the C standard says it
is so we will stop at or before the sizeof("str")th character.  In
either case we are not protected from the possibility that var contains
a bogus string if the bogosity occurs before we get to the end of "str".
In fact, there's no way to be sure of that except creating the string
correctly in the first place!

-- Brooks

--=20
Any statement of the form "X is the one, true Y" is FALSE.
PGP fingerprint 655D 519C 26A7 82E7 2529  9BF0 5D8E 8BE9 F238 1AD4

--UlVJffcvxoiEqYs2
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFBq5/iXY6L6fI4GtQRAiC6AKCkR4REbX9HG+Cori0z2rjMLqMvzACfc8b6
MwUsxCXthWLuoam/GOQ7ZgQ=
=CtBz
-----END PGP SIGNATURE-----

--UlVJffcvxoiEqYs2--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041129221707.GA2571>