Re: safe strcpy()?
From: Ed Carp (erc@pobox.com)
Date: 01/28/03
- Previous message: Michal Zalewski: "Re: safe strcpy()?"
- In reply to: Michal Zalewski: "Re: safe strcpy()?"
- Next in thread: Michal Zalewski: "Re: safe strcpy()?"
- Reply: Michal Zalewski: "Re: safe strcpy()?"
- Reply: Timo Sirainen: "Re: safe strcpy()?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 28 Jan 2003 03:44:24 -0600 (CST) From: Ed Carp <erc@pobox.com> To: Michal Zalewski <lcamtuf@coredump.cx>
On Tue, 28 Jan 2003, Michal Zalewski wrote:
> There are several interesting ways to prevent the problem without making
> major changes to the code, however. One of better ideas I've seen is to
> register buffer sizes when buffers are created. It takes few more lines
> when you create an object, but this is the only effort you need to make.
> Buffers are later deregistered from your own free(), for heap memory - and
> your own function epilogue, for stack. With some help from the compiler
> and linker, two last steps involve no changes to your existing code. If
> your code uses mapped memory, you might also want to cover munmap and
> such.
>
> You just call register_buf() whenever you create an array, a structure or
> such. Its address, length and element size would be stored, so that you
> can query for a buffer at any time, and perhaps decide, based on element
> size, if its suitable for the operation you are about to perform (so that
> when you have a number of buffers inside an array, and you only added the
> array to implement index range checking, but forgot to add single buffers,
> your code would not overwrite other elements when modifying one, but
> rather bail out because of element size mismatch).
>
> The approach is not perfect, but can be quite helpful.
I wasn't able to find such a function - do you have an example?
Most of the buffers we use are fixed-size, to side-step problems with
malloc() and free(), and so we've been able to partially get around this
problem by writing strcpy() as a macro - for example:
char buf[512];
our_strcpy(buf, source);
if our_strcpy() is written as a macro, then sizeof(buf) will return 512,
and so we can do bounds checking. The problem comes in when someone does
something like:
ptr = buf;
our_strcpy(ptr, source);
How can one determine the size of the buffer being pointed to?
sizeof(ptr) returns 4 :( Technically, that's correct, but that's not what
I meant ;)
-- Ed Carp, N7EKG http://www.pobox.com/~erc 214/986-5870 Licensed Texas Peace Officer Computer Crime Investigation Consultant Director, Software Development Escapade Server-Side Scripting Engine Development Team http://www.squishedmosquito.com Microsoft Front Page - the official HTML editor of Al Qaeda Microsoft Hotmail - the official email of Al Qaeda
- Next message: Michal Zalewski: "Re: safe strcpy()?"
- Previous message: Michal Zalewski: "Re: safe strcpy()?"
- In reply to: Michal Zalewski: "Re: safe strcpy()?"
- Next in thread: Michal Zalewski: "Re: safe strcpy()?"
- Reply: Michal Zalewski: "Re: safe strcpy()?"
- Reply: Timo Sirainen: "Re: safe strcpy()?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
