Re: Secure coding in C (was Re: Administrivia #4883)

[bet () RAHUL NET (Bennett Todd)]

2000-01-14-16:48:50 Marco Walther:
> BT>   snprintf(c, len, "%s%s", a, b) > 0 || die "snprintf";
>
> You're dead! Use (*a == '\0' && *b == '\0') and snprintf() returns `0'!!

Thanks for the tip. I knew about, and ignored that possibility; in
this case the values I'm concatenating come from various sources,
some of which are guaranteed to be non-null, and the format string
actually includes some literal characters, not just a bunch of %s's.

I'm building up a maildir file name, actually. And I _know_ that
someone, someday, is going to use my program to pick a field out of
the header and directly use that as a folder name, so I better be
able to soak up hostile strings showing up:-).

And for whatever it's worth, I consider ``die("snprintf")'' to be a
healthy response to an otherwise-unchecked hostile string, at least
in this setting:-).

-Bennett

<HR NOSHADE>
<UL>
<LI>application/pgp-signature attachment: stored
</UL>