[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 22 Nov 2014 11:47:39 -0500
From: Stuart Gathman <stuart@...hman.org>
To: oss-security@...ts.openwall.com
Subject: Re: Off-by-one question
On 11/22/2014 01:28 AM, Joshua Roers wrote:
>
>> char buf[4];
>> strncpy(buf, "Four", sizeof(buf));
>> buf[sizeof(buf)-1] = '\0';
>> printf("%s\n", buf);
> Since
>> strncpy(buf, "Four", sizeof(buf));
> is not
>> strncpy(buf, "Four", sizeof(buf)-1);
> will strncpy write beyond the memory of 'buf', and set it to NUL?
>
>
> >From my understanding from
> http://cwe.mitre.org/data/definitions/193.html, it would.
> ".. creating a buffer overflow that may cause a memory address to be
> overwritten .."
>
>
> But actually RTFM, strncpy will not write, even the NUL, past the size.
>
> So it looks like I'm either reading mitre wrong, or it may be outdated.
>
>
> Any opinions on this?
The snippet will print Fou. The contract for strncpy is:
The strncpy() function is similar, except that at most n bytes
of src
are copied. Warning: If there is no null byte among the first
n bytes
of src, the string placed in dest will not be null terminated.
So you are correct. Unless strncpy is broken.
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
