Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 22 Nov 2014 17:28:00 +1100
From: Joshua Roers <honey@...ernot.info>
To: oss-security@...ts.openwall.com
Subject: Off-by-one question

Hi guys,

I'm just wondering, is it possible to use strncpy to overwrite memory
addresses?

i.e:

> char buf[4];
> strncpy(buf, "Four", sizeof(buf));
> buf[sizeof(buf)-1] = '\0';
> printf("%s\n", buf);

Since
> strncpy(buf, "Four", sizeof(buf)); 
is not
> strncpy(buf, "Four", sizeof(buf)-1); 
will strncpy write beyond the memory of 'buf', and set it to NUL?


>From my understanding from
http://cwe.mitre.org/data/definitions/193.html, it would.
".. creating a buffer overflow that may cause a memory address to be
overwritten .."


But actually RTFM, strncpy will not write, even the NUL, past the size.

So it looks like I'm either reading mitre wrong, or it may be outdated.


Any opinions on this?


Thanks,
-- 
-- Joshua Rogers <https://internot.info/>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.