Hey John,
JV> 1) sizeof(dst) is very often going to be sizeof(char *) which is 2, no matter
JV> how much space is malloc'd.
Small correction: It should be 4 on most 32-bit platforms, possibly 8
on 64-bit address cpu's
JV> 2) Even if sizeof(dst) did give the right answer in all cases, your macro
JV> would still be susceptible to buffer overflows. Bascially, the third
JV> argument to strcat doesn't do what you seem to think it does. You'd
JV> need to make that: strncat(dst, src, sizeof(dst)-strlen(dst)-1),
JV> and even then you have to worry about whether dst has a null terminator
JV> (which it might not have depending on the call you used), and whether
JV> a null terminator will be placed on the string you're writing (won't
JV> happen if you fill the buffer exactly with some API calls).
Remember here then to document that the programmer must then never
never never use this call on an uninitialized stack buffer, as
strlen() could evaluate to be equal to sizeof() (assuming an attacker
has cleverly polluted the stack) and therefore strncat would copy
an arbitrary amount of data.
Cheers,
dullien (at) gmx (dot) de [email concealed]
--
Mit freundlichen Grüssen
dullien (at) gmx (dot) de [email concealed] mailto:dullien (at) gmx (dot) de [email concealed]
JV> 1) sizeof(dst) is very often going to be sizeof(char *) which is 2, no matter
JV> how much space is malloc'd.
Small correction: It should be 4 on most 32-bit platforms, possibly 8
on 64-bit address cpu's
JV> 2) Even if sizeof(dst) did give the right answer in all cases, your macro
JV> would still be susceptible to buffer overflows. Bascially, the third
JV> argument to strcat doesn't do what you seem to think it does. You'd
JV> need to make that: strncat(dst, src, sizeof(dst)-strlen(dst)-1),
JV> and even then you have to worry about whether dst has a null terminator
JV> (which it might not have depending on the call you used), and whether
JV> a null terminator will be placed on the string you're writing (won't
JV> happen if you fill the buffer exactly with some API calls).
Remember here then to document that the programmer must then never
never never use this call on an uninitialized stack buffer, as
strlen() could evaluate to be equal to sizeof() (assuming an attacker
has cleverly polluted the stack) and therefore strncat would copy
an arbitrary amount of data.
Cheers,
dullien (at) gmx (dot) de [email concealed]
--
Mit freundlichen Grüssen
dullien (at) gmx (dot) de [email concealed] mailto:dullien (at) gmx (dot) de [email concealed]
[ reply ]