Re: safe strcpy()?

Ed Carp wrote:

>start looking for a way to figure out how to determine how
No, there is no way for the string copy function itself to determine the size of the destination buffer. All such computation has to be done at the call site, not in the copy function. This is an inherent safety limitation of the C language.

There are two compiler enhancements for GCC that provide full bounds checking on arrays (Bounded Pointers
<http://gcc.gnu.org/projects/bp/main.html>, and the other nameless project by Jones&Kelly
<http://www.doc.ic.ac.uk/%7Ephjk/BoundsChecking.html>, and ten Bruggee <http://web.inter.nl.net/hcc/Haj.Ten.Brugge/>). However, IIRC, both of these enhancements just cause the program to die if the buffer overflows. The other response would be to just ignore writes to arrays beyond the bounds of the array, which is very likely to cause "surprising" incorrect behavior.

More generally, you can read my survey of buffer overflow attacks and defenses here:

    "Buffer Overflows: Attacks and Defenses for the Vulnerability of     the Decade". Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie,     and Jonathan Walpole. DARPA Information Survivability Conference and     Expo (DISCEX) <http://schafercorp-ballston.com/discex/>, Hilton Head     Island SC, January 2000. Also presented as an invited talk at SANS     2000 <http://www.sans.org/sans2000/sans2000.htm>, Orlando FL, March     2000. PDF <http://wirex.com/%7Ecrispin/discex00.pdf>.

It's now a little dated, in that PAX <http://pageexec.virtualave.net/>, libsafe <http://www.research.avayalabs.com/project/libsafe/>, and StackGhost <http://stackghost.cerias.purdue.edu/> came out since I wrote that paper. A more recent and comprehensive survey of open source security will appear shortly in the new IEEE Security&Privacy Magazine <http://www.computer.org/security/>.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Oh yeah, and there's StackGuard <http://immunix.org/stackguard.html> :-)

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      
http://wirex.com/~crispin/
Security Hardened Linux Distribution:       
http://immunix.org
Available for purchase: 
http://wirex.com/Products/Immunix/purchase.html
			    Just say ".Nyet"