Re: safe strcpy()?

• Michal Zalewski wrote on Tue, Jan 28, 2003 at 02:09 -0800:
  > On Tue, 28 Jan 2003, Ed Carp wrote:
  

>
> I'm pretty convinced I've seen at least a discussion about such an

There was a thread on secprog, yep. For instance, I wrote a mail about "the own text buffer type" in:
http://online.securityfocus.com/archive/98/300536/2002-12-01/2002-12-07/2

> - Use a range checking compiler that emits and tracks this additional

BTW, I know the gcc bounds patch and I used it once, it was a nice thing! Is there something similar available for C++? I've played around with efence and mpatrol, both may help to find overflows and such. Maybe worth a look?

> - Implement manual passing of the information by adding a length

Isn't this strncpy and strlcpy?

> - ...or, per Crispin's suggestion, use a runtime checker like

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Is StackGuard only protecting the stack? Then mpatrol may be more helpful I think, please correct me if I'm wrong.

Well, the question was about language... I think, C is "optimized" for speed and is nice for small embedded systems :) "Higher level" languages, such as C++, Java or even Ada and heaps others support much more language features to protect against such issues. Maybe C is not designed for safety... With C++ you can add some comfortable, with Java you should get always run time exceptions. Ada isn't widely used in practice (outside government and medical projects and such) I think.

oki,

Steffen

-- 
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.