Security Basics mailing list archives
Re: Any reason not to use strcpy, strcat or scanf?
From: Kenny <kenny () codez co uk>
Date: Wed, 14 Jul 2004 23:39:04 +0100
Hi,If you are to use these functions you need to put them into a sanitation function of some type before using them. ie. write your own wrappers for the functions which would include some kind of bounds checking. Basically these functions are the common culprits of buffer overflows in C programs. Go have a read of "Hacking - The Art of Exploitation" by Jon Erickson. This is an excellent book which demonstates some of the common buffer overflow methods including strcpy, strcat and scanf. This book can provide you with much more concise information than you would probably find by searching around.
Hope That Helps - Kenny A.V. wrote:
Hi, I was simply wondering after seeing the "blackhat audit" program sent to F-D whether there was actually any reason not to use these functions (strcpy/strcat/scanf) in your code. I mean, I understand why you shouldn't use scanf to i.e. process user input, but other than that? Some kind of unexpected behaviour or something? Thanks, A.V. ---------------------------------------------------------------------------Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html----------------------------------------------------------------------------
---------------------------------------------------------------------------Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Current thread:
- Any reason not to use strcpy, strcat or scanf? A.V. (Jul 14)
- RE: Any reason not to use strcpy, strcat or scanf? David Gillett (Jul 15)
- Re: Any reason not to use strcpy, strcat or scanf? Hollis Johnson (Jul 15)
- Re: Any reason not to use strcpy, strcat or scanf? Kenny (Jul 16)
- RE: Any reason not to use strcpy, strcat or scanf? webb wang RR (Jul 16)
- <Possible follow-ups>
- RE: Any reason not to use strcpy, strcat or scanf? Keller, Tim (Jul 15)
- RE: Any reason not to use strcpy, strcat or scanf? Yvan Boily (Jul 16)
- Re: Any reason not to use strcpy, strcat or scanf? markzero (Jul 16)
- RE: Any reason not to use strcpy, strcat or scanf? Yvan Boily (Jul 16)
- RE: Any reason not to use strcpy, strcat or scanf? Rocky Heckman (Jul 16)
- RE: Any reason not to use strcpy, strcat or scanf? Yvan Boily (Jul 16)