Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Secure coding in C (was Re: Administrivia #4883)

From: Liviu.Daia () IMAR RO (Liviu Daia)
Date: Sat, 15 Jan 2000 00:56:13 +0200

On 14 January 2000, Marco Walther <marcow () JENA ENG SUN COM> wrote:

"BT" == Bennett Todd <bet () RAHUL NET> writes:

BT> For a specific case, is there any security hole directly implied
BT> by this C fragment, assuming attackers could control the contents
BT> of a and b?

BT>   char *a = something();
BT>   char *b = something_else();
BT>   int len = strlen(a) + strlen(b);
BT>   char *c = malloc(len + 1) || die("malloc");
BT>   (void) strcat(strcpy(c, a), b);

I don't see any problems here;-)

[...]

    Oh, come on.  What if a and b are not null-terminated?

    This is not only bad style, it's also a PITA to write (not to
mention audit), because the length calculations involved are way too
easy to get wrong.

    Regards,

    Liviu Daia

--
Dr. Liviu Daia               e-mail:   Liviu.Daia () imar ro
Institute of Mathematics     web page: http://www.imar.ro/~daia
of the Romanian Academy      PGP key:  http://www.imar.ro/~daia/daia.asc
Previous By Date Next
Previous By Thread Next

Current thread: