Date: Sat, 22 Nov 2014 11:47:39 -0500 From: Stuart Gathman <stuart@...hman.org> To: oss-security@...ts.openwall.com Subject: Re: Off-by-one question On 11/22/2014 01:28 AM, Joshua Roers wrote: > >> char buf; >> strncpy(buf, "Four", sizeof(buf)); >> buf[sizeof(buf)-1] = '\0'; >> printf("%s\n", buf); > Since >> strncpy(buf, "Four", sizeof(buf)); > is not >> strncpy(buf, "Four", sizeof(buf)-1); > will strncpy write beyond the memory of 'buf', and set it to NUL? > > > >From my understanding from > http://cwe.mitre.org/data/definitions/193.html, it would. > ".. creating a buffer overflow that may cause a memory address to be > overwritten .." > > > But actually RTFM, strncpy will not write, even the NUL, past the size. > > So it looks like I'm either reading mitre wrong, or it may be outdated. > > > Any opinions on this? The snippet will print Fou. The contract for strncpy is: The strncpy() function is similar, except that at most n bytes of src are copied. Warning: If there is no null byte among the first n bytes of src, the string placed in dest will not be null terminated. So you are correct. Unless strncpy is broken.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.