On Sat, Nov 16, 2002 at 01:03:41PM -0600, Frank Knobbe wrote:
>
> Perhaps we should start development of a standardized 'safe' header file
> that can contain macros for snprintf, strncat and the like.
...
While such things are floating around out there, it sounds like you
might be interested in looking at something like libsafe for those
particular problems, since it handles things transparently at link
time.
This is NOT safe or even close to correct. There are two big problems
here:
1) sizeof(dst) is very often going to be sizeof(char *) which is 2, no matter
how much space is malloc'd.
2) Even if sizeof(dst) did give the right answer in all cases, your macro
would still be susceptible to buffer overflows. Bascially, the third
argument to strcat doesn't do what you seem to think it does. You'd
need to make that: strncat(dst, src, sizeof(dst)-strlen(dst)-1),
and even then you have to worry about whether dst has a null terminator
(which it might not have depending on the call you used), and whether
a null terminator will be placed on the string you're writing (won't
happen if you fill the buffer exactly with some API calls).
>
> Perhaps we should start development of a standardized 'safe' header file
> that can contain macros for snprintf, strncat and the like.
...
While such things are floating around out there, it sounds like you
might be interested in looking at something like libsafe for those
particular problems, since it handles things transparently at link
time.
> #define safe_strcat(dst,src)
> strncat(dst,src,sizeof(dst))
This is NOT safe or even close to correct. There are two big problems
here:
1) sizeof(dst) is very often going to be sizeof(char *) which is 2, no matter
how much space is malloc'd.
2) Even if sizeof(dst) did give the right answer in all cases, your macro
would still be susceptible to buffer overflows. Bascially, the third
argument to strcat doesn't do what you seem to think it does. You'd
need to make that: strncat(dst, src, sizeof(dst)-strlen(dst)-1),
and even then you have to worry about whether dst has a null terminator
(which it might not have depending on the call you used), and whether
a null terminator will be placed on the string you're writing (won't
happen if you fill the buffer exactly with some API calls).
[ reply ]