Secure Coding mailing list archives
Re: New Microsoft Security Tool for developers
From: Dave Aronson <securecoding () dja mailme org>
Date: Tue, 16 Dec 2003 00:55:24 +0000
Gene Spafford pointed out that noOverflow could be passed a pointer to a string that was *shorter* than the internal buffer. He did not state specifically what was so bad about this, but I presumed that his point was the one later raised by Jannie Hanekom: that there could be information leakage from just past str, into buffer. (Also possibly that that chunk of memory might be protected, in various ways that would crash the program.) Spaf, is this indeed what you meant? Jannie erroneously stated that strncpy always copies the maximum size. Many of you pointed out that this is not true, since strncpy will stop copying after the first zero byte. So far so good. BUT... what if there *is no* zero byte, at least on the string initially passed? Then, strncpy will happily continue copying, up to the maximum size, leaking info just as Jannie said. Example, modifying Spaf's: main() { char fbuf[2]; char password[8] = "secret"; fbuf[0] = 'x'; fbuf[1] = 'y'; noOverflow(fbuf); } void noOverflow(char *str) { char buffer[10]; strncpy(buffer,str,(sizeof(buffer)-1)); buffer[(sizeof(buffer)-1)]=0; /* Avoiding buffer overflow with the above two lines */ printf ("%s\n", buffer); } Assuming that, in actual storage, password does indeed immediately follow fbuf, this would print xysecret. Of course, this could chain more than just two char-buffers (or any other kind of data), until the maximum size or a zero byte. Spaf also suggested rewriting noOverflow to include a parameter for the buffer size. That would help prevent accidental misuse -- but malicious abusers could still pass in a bad buffer size. (BTW, I'm feeling caught in a bit of a timewarp. Last time I followed up to something spaf posted was about 20 years ago....) -- Dave Aronson, Senior Software Engineer, Secure Software Inc. (Opinions above NOT those of securesw.com unless so stated!) Email me at: work (D0T) 2004 (@T) dja (D0T) mailme (D0T) org Web: http://destined.to/program http://listen.to/davearonson
Current thread:
- Re: New Microsoft Security Tool for developers, (continued)
- Re: New Microsoft Security Tool for developers Mark Graff (Dec 13)
- RE: New Microsoft Security Tool for developers Jannie Hanekom (Dec 14)
- Re: New Microsoft Security Tool for developers der Mouse (Dec 15)
- Re: New Microsoft Security Tool for developers Dana Epp (Dec 15)
- Re: New Microsoft Security Tool for developers Crispin Cowan (Dec 15)
- Re: New Microsoft Security Tool for developers Dana Epp (Dec 15)
- RE: New Microsoft Security Tool for developers Örjan Petersson (Dec 16)
- strncpy (was: Re: New Microsoft Security Tool for developers) David A. Wheeler (Dec 16)
- Re: strncpy (was: Re: New Microsoft Security Tool for developers) Florian Weimer (Dec 17)
- Re: New Microsoft Security Tool for developers Dave Aronson (Dec 15)
- Re: New Microsoft Security Tool for developers Gene Spafford (Dec 17)
- Re: New Microsoft Security Tool for developers Mikey (Dec 17)