Date: Wed, 24 Nov 1999 16:31:40 +1100 From: Peter Jeremy <peter.jeremy@alcatel.com.au> To: Brian Fundakowski Feldman <green@FreeBSD.ORG> Cc: current@FreeBSD.ORG Subject: Re: FreeBSD security auditing project. Message-ID: <99Nov24.162448est.40336@border.alcanet.com.au> In-Reply-To: <Pine.BSF.4.10.9911232317170.40485-100000@green.dyndns.org> References: <99Nov24.075703est.40331@border.alcanet.com.au> <Pine.BSF.4.10.9911232317170.40485-100000@green.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1999-Nov-24 15:33:14 +1100, Brian Fundakowski Feldman wrote: >I'd like to note something. Strcat isn't necessarily unsafe, and strncat() >isn't necessarily safe. I wasn't implying that. In fact, I believe the semantics of strncat() put it into the `hard to use correctly' category (or maybe `very likely to be misused'). > if (fscanf(file, "%d:foo:%.*s", &smurf, sizeof(something), > something) /* This is safe, of course. */ Beep. You lose. "%.*s" doesn't exist in *scanf() [I thought it did, but it's not mentioned in either scanf(3) or the source]. You have to specify field widths as literals (which makes this sort of code a real PITA). >#define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0 > char action2[32], proto[47], name[18], fragment[17]; > /* Print command name */ > snprintf(SNPARGS(name, 0), "ipfw: %d", f ? f->fw_number : -1); > >Despite the fact that the buffer name[] was made to be exactly the >largest size, where sprintf() _would_be_safe_, Not necessarily true. Consider a system where sizeof(int)==8 (such C compilers exist today). In this case "%d" can take 20 characters, but the code above code assumes an int can always be printed in 11 characters. > Don't get caught doing this. >If you find a strcat() (for example), see if it's safe. If it is, >then why replace it? Confirming that it is safe (checking all the paths by which the strcat() can be reached) might take substantial effort (if the buffers and/or range checks are widely separated from the strcat() call. In addition, someone might add a new path to the strcat(), or might change a buffer size, without properly checking all the ramifications. I tend towards the approach that unless it's immediately obvious that it's safe, you are better off using strlcat() (or maybe strncat()). Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?99Nov24.162448est.40336>