Re: Stack growth direction to thwart buffer overflow attacks
From: Bill Unruh (unruh_at_string.physics.ubc.ca)
Date: 08/20/03
- Next message: Casper H.S. ***: "Re: Stack growth direction to thwart buffer overflow attacks"
- Previous message: Casper H.S. ***: "Re: Stack growth direction to thwart buffer overflow attacks"
- In reply to: phn_at_icke-reklam.ipsec.nu: "Re: Stack growth direction to thwart buffer overflow attacks"
- Next in thread: Casper H.S. ***: "Re: Stack growth direction to thwart buffer overflow attacks"
- Reply: Casper H.S. ***: "Re: Stack growth direction to thwart buffer overflow attacks"
- Reply: Douglas Siebert: "Re: Stack growth direction to thwart buffer overflow attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 20 Aug 2003 08:01:22 +0000 (UTC)
phn@icke-reklam.ipsec.nu writes:
]In comp.security.misc Frank Cusack <fcusack@fcusack.com> wrote:
]> On Sat, 16 Aug 2003 13:05:20 -0400 Tony Nelson <tonynlsn@shore.net> wrote:
]>> Surely not. I prefer to use:
]>>
]>> target[0] = 0;
]>> strncat(target,source,sizeof(target));
]>>
]>> strncat puts a NUL at the end of the string.
]> No, it doesn't. This is a prime example of what I think is a worse
]> problem than the wrong language (C), it's not understanding how to
]> use the API.
]Quoting from FreeBSD's manpage for strncat(3) :
]LIBRARY
] Standard C Library (libc, -lc)
]SYNOPSIS
] #include <string.h>
] char *
] strcat(char *s, const char *append);
] char *
] strncat(char *s, const char *append, size_t count);
]DESCRIPTION
] The strcat() and strncat() functions append a copy of the null-terminated
] string append to the end of the null-terminated string s, then add a ter
] minating `\0'. The string s must have sufficient space to hold the
] result.
] The strncat() function appends not more than count characters from
] append, and then adds a terminating `\0'.
]> strn* are NOT guaranteed to NUL terminate. They may do so on your
]> specific platform, which is where you lose because your code will be
]> used in unexpected ways on other platforms or other libc
]> implementations.
]> Why strn* were designed so poorly is another question.
]Maybe some reading will make this clear ?
And maybe some reading by you will make things clear as well
man strncpy on Linux glibc 2.3
The strncpy() function is similar, except that not more than n bytes of
src are copied. Thus, if there is no null byte among the first n bytes
of src, the result will not be null-terminated.
As Cusac says, one problem is that strn* are inconsistant ondifferent
platforms, so that when you write on a platform assuming your behaviour,
and your code gets ported, BANG. A bug.
- Next message: Casper H.S. ***: "Re: Stack growth direction to thwart buffer overflow attacks"
- Previous message: Casper H.S. ***: "Re: Stack growth direction to thwart buffer overflow attacks"
- In reply to: phn_at_icke-reklam.ipsec.nu: "Re: Stack growth direction to thwart buffer overflow attacks"
- Next in thread: Casper H.S. ***: "Re: Stack growth direction to thwart buffer overflow attacks"
- Reply: Casper H.S. ***: "Re: Stack growth direction to thwart buffer overflow attacks"
- Reply: Douglas Siebert: "Re: Stack growth direction to thwart buffer overflow attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
