> Perhaps we should start development of a standardized 'safe' header file
> that can contain macros for snprintf, strncat and the like.
>
> Example:
> #define safe_snprinf(dst,len,fmt,var)
> snprintf(dst,(len>sizeof(dst)-1)?sizeof(dst)-1:len,fmt,var)
>
> #define safe_strcat(dst,src)
> strncat(dst,src,sizeof(dst))
>
> #define safe_strncat(dst,src,len)
> strncat(dst,src,(len>sizeof(dst)-1-strlen(dst))?
> (sizeof(dst)-1-strlen(dst):len)
This works only with arrays. But breaks with pointers,
because sizeof(pointer) returns 4 (32 bit machines) or 8 (64 bit machine)...
> Although it may be easier to rewrite the libraries with checks
> implemented...
that is snprintf() et al...
But these only give you the possibility to do something right.
But to do it right you have to know what you are doing...
> My argument is that we should move security into the libraries and tools
> and not rely on the developer to implement checks to avoid existing (but
> documented) flaws..
No.
The libraries must give the developer the tools he needs to
write save programs.
Only he knows the limitations his program has and needs.
And it is his responsibility to implement these limitations.
> Perhaps we should start development of a standardized 'safe' header file
> that can contain macros for snprintf, strncat and the like.
>
> Example:
> #define safe_snprinf(dst,len,fmt,var)
> snprintf(dst,(len>sizeof(dst)-1)?sizeof(dst)-1:len,fmt,var)
>
> #define safe_strcat(dst,src)
> strncat(dst,src,sizeof(dst))
>
> #define safe_strncat(dst,src,len)
> strncat(dst,src,(len>sizeof(dst)-1-strlen(dst))?
> (sizeof(dst)-1-strlen(dst):len)
This works only with arrays. But breaks with pointers,
because sizeof(pointer) returns 4 (32 bit machines) or 8 (64 bit machine)...
> Although it may be easier to rewrite the libraries with checks
> implemented...
that is snprintf() et al...
But these only give you the possibility to do something right.
But to do it right you have to know what you are doing...
> My argument is that we should move security into the libraries and tools
> and not rely on the developer to implement checks to avoid existing (but
> documented) flaws..
No.
The libraries must give the developer the tools he needs to
write save programs.
Only he knows the limitations his program has and needs.
And it is his responsibility to implement these limitations.
Bye
Goetz
--
Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126
[ reply ]