|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
RE: Are bad developer libraries the problem with M$ software?
Date: Mon Nov 18 2002 - 15:51:03 EST
This simply proves my point - the 'n' versions are not necessarily any
more secure than the non-'n' versions when people make mistakes like
sizeof(*foo) thinking it's the same as strlen(foo) :-)
Cheers, Michael
Secure Windows Initiative
Writing Secure Code
http://www.microsoft.com/mspress/books/5612.asp
-----Original Message-----
From: [mailto:cdavison@nucleus.com]
Sent: Monday, November 18, 2002 9:42 AM
To: secprog@securityfocus.com
Subject: Re: Are bad developer libraries the problem with M$ software?
- Original Message ----- From: Frank Knobbe Sent: 11/18/2002 10:27:09 AM To: mikehow@microsoft.com Cc: phani@myrealbox.com;secprog@securityfocus.com Subject: RE: Are bad developer libraries the problem with M$ software?
> As a side note, proper use of snprintf would be:
I believe you mean strlen and not sizeof. sizeof(mystr) will return the same as sizeof(char*), which is sizeof(int) in most cases or 4 on 32-bit platforms. Unless there's something I wasn't aware of: you're using a bizarre compiler, or C++, or there's a special case for char arrays on the stack.
> Perhaps we should start development of a standardized 'safe' header
These are good ideas, and you should expand them to handle the case where the destination string is not \0-terminated. Example: strncpy.
The strncpy() function copies not more than len characters from src into
dst, appending `\0' characters if src is less than len characters long,
and not terminating dst otherwise.
I handle this by always setting dst[len-1] = '\0';
Received on Mon Nov 18 22:11:31 2002
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:44 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |