RE: Any reason not to use strcpy, strcat or scanf?

From: Keller, Tim (Tim.Keller_at_stratus.com)
Date: 07/14/04

  • Next message: Danny Messano: "Re: A possible "new ?" DOS exploit with IE"
    To: Secbasics <security-basics@securityfocus.com>
    Date: Wed, 14 Jul 2004 15:23:24 -0400
    
    

    A.V.,

    Yeah. The reason you shouldn't use these because they don't do any bounds
    checking. Thus you could have a situation where you've defined an 80
    character array and then write a 180 characters into it, going off the end
    of the variable and stomping on whatever is past it...

    What you should use is strncpy and strncat. These force you to specify that
    you only copy or concatonate "n" bytes from the source into the destination.

    Check out this site, it's got some very good info on what your interested
    in.

    http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/dangers-c.html

    -----Original Message-----
    From: A.V. [mailto:pahalial.lists@gmail.com]
    Sent: Wednesday, July 14, 2004 7:00 AM
    To: Secbasics
    Subject: Any reason not to use strcpy, strcat or scanf?

    Hi,

    I was simply wondering after seeing the "blackhat audit" program sent
    to F-D whether there was actually any reason not to use these
    functions (strcpy/strcat/scanf) in your code. I mean, I understand why
    you shouldn't use scanf to i.e. process user input, but other than
    that? Some kind of unexpected behaviour or something?

    Thanks,
    A.V.

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the
    skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------


  • Next message: Danny Messano: "Re: A possible "new ?" DOS exploit with IE"

    Relevant Pages

    • RE: Removing Local Admin Rights...
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • RE: HIPAA_Compliance
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • RE: Cisco CSA
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • RE: Minimum password requirements
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • Betr.: RE: fax software in the domain
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... pen testing experience in our state of the art hacking lab. ... Attend a course taught by an expert instructor with years of in-the-field ...
      (Security-Basics)