| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3F9C6C95.40806@hutley.net> From: brett at hutley.net (Brett Hutley) Subject: [inbox] Re: RE: Linux (in)security Ted Unangst wrote: > On Mon, 27 Oct 2003, Brett Hutley wrote: > > >>char buf[10]; >>const char *str1 = "OVER"; >>const char *str2 = "FLOW!!!!!"; >>sprintf(buf, "%s%s", str1, str2); >> >>Admittedly a contrived example. The best way to handle this type of >>stuff is to provide "safe" functions - like a sprintfn() that takes the >>maximum size of the buffer to write into as an argument. This function >>is reasonably tricky to write however. Consider the following example: > > > erm, snprintf? the reasonably tricky to implement part is kinda true, > there are/were many implementations which didn't do the right thing, but i > think that's improved. Sorry, yes, snprintf() *doh* -- Brett Hutley [MAppFin,CISSP,SANS GCIH] mailto:brett@...ley.net http://hutley.net/brett
Powered by blists - more mailing lists