Re: Are bad developer libraries the problem with M$ software?

From: <cdavison(at)nucleus.com>
Date: Mon Nov 18 2002 - 12:42:06 EST

• Original Message ----- From: Frank Knobbe Sent: 11/18/2002 10:27:09 AM To: mikehow@microsoft.com Cc: phani@myrealbox.com;secprog@securityfocus.com Subject: RE: Are bad developer libraries the problem with M$ software?

> As a side note, proper use of snprintf would be:

I believe you mean strlen and not sizeof. sizeof(mystr) will return the same as sizeof(char*), which is sizeof(int) in most cases or 4 on 32-bit platforms. Unless there's something I wasn't aware of: you're using a bizarre compiler, or C++, or there's a special case for char arrays on the stack.

> Perhaps we should start development of a standardized 'safe' header file

These are good ideas, and you should expand them to handle the case where the destination string is not \0-terminated. Example: strncpy.

     The strncpy() function copies not more than len characters from src into
     dst, appending `\0' characters if src is less than len characters long,
     and not terminating dst otherwise.

I handle this by always setting dst[len-1] = '\0'; Received on Mon Nov 18 15:18:37 2002