Security Basics mailing list archives
RE: Any reason not to use strcpy, strcat or scanf?
From: "Yvan Boily" <yboily () seccuris com>
Date: Thu, 15 Jul 2004 12:05:24 -0500
A valuable explanation of why not to use them can be found in Aleph One's article "Smashing The Stack For Fun And Profit". http://destroy.net/machines/security/P49-14-Aleph-One Understanding why buffer overruns are dangerous and how they can be exploited helps significantly when trying to understand why it is important to to make assumptions about the size of data being passed between function calls. I strongly recommending getting a copy Viega & McGraws book Building Secure Software, http://www.buildingsecuresoftware.com/ This book is a very good resource for someone learning about software design etc... Yvan Boily -----Original Message----- From: Keller, Tim [mailto:Tim.Keller () stratus com] Sent: Wednesday, July 14, 2004 2:23 PM To: Secbasics Subject: RE: Any reason not to use strcpy, strcat or scanf? A.V., Yeah. The reason you shouldn't use these because they don't do any bounds checking. Thus you could have a situation where you've defined an 80 character array and then write a 180 characters into it, going off the end of the variable and stomping on whatever is past it... What you should use is strncpy and strncat. These force you to specify that you only copy or concatonate "n" bytes from the source into the destination. Check out this site, it's got some very good info on what your interested in. http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/dangers-c.html -----Original Message----- From: A.V. [mailto:pahalial.lists () gmail com] Sent: Wednesday, July 14, 2004 7:00 AM To: Secbasics Subject: Any reason not to use strcpy, strcat or scanf? Hi, I was simply wondering after seeing the "blackhat audit" program sent to F-D whether there was actually any reason not to use these functions (strcpy/strcat/scanf) in your code. I mean, I understand why you shouldn't use scanf to i.e. process user input, but other than that? Some kind of unexpected behaviour or something? Thanks, A.V. --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Any reason not to use strcpy, strcat or scanf? A.V. (Jul 14)
- RE: Any reason not to use strcpy, strcat or scanf? David Gillett (Jul 15)
- Re: Any reason not to use strcpy, strcat or scanf? Hollis Johnson (Jul 15)
- Re: Any reason not to use strcpy, strcat or scanf? Kenny (Jul 16)
- RE: Any reason not to use strcpy, strcat or scanf? webb wang RR (Jul 16)
- <Possible follow-ups>
- RE: Any reason not to use strcpy, strcat or scanf? Keller, Tim (Jul 15)
- RE: Any reason not to use strcpy, strcat or scanf? Yvan Boily (Jul 16)
- Re: Any reason not to use strcpy, strcat or scanf? markzero (Jul 16)
- RE: Any reason not to use strcpy, strcat or scanf? Yvan Boily (Jul 16)
- RE: Any reason not to use strcpy, strcat or scanf? Rocky Heckman (Jul 16)
- RE: Any reason not to use strcpy, strcat or scanf? Yvan Boily (Jul 16)